Okta breach post mortem reveals weaknesses exploited by attackers

2023-11-06 14:11

The recent breach of the Okta Support system was carried out via a compromised service account with permissions to view and update customer support cases.

The threat actor took advantage of the access they had gained to the Okta Support system and to unsanitized HAR files provided by the customers to Okta Support.

From those files, they were able to extract session tokens, which allowed them to hijack the legitimate Okta sessions of 1Password, BeyondTrust, Cloudflare, and two other unnamed companies.

The investigation timeline shared by Bradbury confirmed that 1Password first notified Okta Support of suspicious activity on September 29, 2023, but it took 14 more days and an indicator of compromise provided by BeyondTrust for them to discover the misuse of the service account.

"Okta's initial investigations focused on access to support cases, and subsequently we assessed the logs linked to those cases. On October 13, 2023, BeyondTrust provided Okta Security a suspicious IP address attributed to the threat actor. With this indicator, we identified the additional file access events associated with the compromised account."

"Okta administrators are now forced to re-authenticate if we detect a network change. This feature can be enabled by customers in the early access section of the Okta admin portal," he concluded.

News URL

https://www.helpnetsecurity.com/2023/11/06/okta-support-compromised-service-account/

#breach #okta