Okta Security recently discovered a security breach that allowed unauthorized access to its support case management system. The breach, which involved the use of stolen credentials, enabled a threat actor to view files uploaded by specific Okta customers as part of recent support cases. The company clarified that this incident did not impact the production Okta service, which remains fully operational and secure. It was also emphasized that the Auth0/CIC case management system remained unaffected.
The breach, reported by BeyondTrust on October 2, 2023, persisted until at least October 18, 2023, despite initial detection. In response, experts have urged Okta to prioritize stringent security measures to prevent future incidents. These measures include prompt action in the wake of any reported compromise, responsible and timely disclosures to affected customers, and the implementation of hardware keys across all systems, including those managed by third-party support providers.
The affected customers have already been notified, and Okta assured its users that if they haven’t received any additional messages or alerts, their Okta environment and support tickets are secure and unaffected.
In the course of regular business operations, Okta support often requests customers to upload HTTP Archive (HAR) files for troubleshooting purposes. However, these files can contain sensitive information, including cookies and session tokens, which could be exploited by malicious actors for impersonation. Okta has worked closely with the impacted customers to investigate the matter and has taken necessary measures to safeguard their interests, including the revocation of embedded session tokens. Furthermore, Okta has advised all users to sanitize credentials and cookies/session tokens within HAR files before sharing them.
The recent breach has raised concerns about the importance of maintaining vigilance and staying alert to any suspicious activities. In an effort to assist customers who wish to conduct their own threat hunting activities, Okta has shared a list of Indicators of Compromise, which include several IP addresses and user-agents related to the incident. Notably, the majority of the indicators are commercial VPN nodes, according to the company’s enrichment information.
Indicators of Compromise:
IP Addresses:
23.105.182.19
104.251.211.122
202.59.10.100
162.210.194.35 (BROWSEC VPN)
198.16.66.124 (BROWSEC VPN)
198.16.66.156 (BROWSEC VPN)
198.16.70.28 (BROWSEC VPN)
198.16.74.203 (BROWSEC VPN)
198.16.74.204 (BROWSEC VPN)
198.16.74.205 (BROWSEC VPN)
198.98.49.203 (BROWSEC VPN)
2.56.164.52 (NEXUS PROXY)
207.244.71.82 (BROWSEC VPN)
207.244.71.84 (BROWSEC VPN)
207.244.89.161 (BROWSEC VPN)
207.244.89.162 (BROWSEC VPN)
23.106.249.52 (BROWSEC VPN)
23.106.56.11 (BROWSEC VPN)
23.106.56.21 (BROWSEC VPN)
23.106.56.36 (BROWSEC VPN)
23.106.56.37 (BROWSEC VPN)
23.106.56.38 (BROWSEC VPN)
23.106.56.54 (BROWSEC VPN)
User-Agents:
Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36 (Legitimate, but older user-agent)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.83 Safari/537.36 (Legitimate, but older user-agent)
While these user-agents are legitimate, Okta advises users to be cautious of their occurrence, particularly considering the release of Chrome 99 in March 2022.
To minimize the risk window associated with stolen cookies, it is advised to impose shorter Okta session lengths. This measure can significantly reduce the opportunity for malicious actors to exploit compromised cookies.
Users and administrators are also urged to remain cognizant of the fact that admin API actions authenticated through session cookies may fall under the Global Session Policy, which might not be as restrictive as other policies. Consequently, a comprehensive reassessment of existing policies is recommended to ensure comprehensive security coverage.
Securinc is a leading cybersecurity consulting firm dedicated to helping businesses navigate the complex world of information security. Since our inception, we have been at the forefront of the cybersecurity industry, offering tailored solutions to organizations of all sizes.