The customer assistance department of Okta, a company that offers identity products like single sign-on and multi-factor authentication to thousands of enterprises, was compromised in a cyber incident. Although Okta claims that only a “very small number” of customers were impacted by the incident, it appears that the hackers had access to Okta’s support platform for at least two weeks before the firm was able to completely control the incursion.
Okta stated that it “has identified adversarial activity that leveraged access to a stolen credential to access Okta’s support case management system” in an alert emailed to an unspecified number of customers on October 19. Certain Okta customers’ submitted files for recent support cases were accessible to the threat actor.
According to Okta, when assisting clients with problems, it frequently requests a recording of a Web browser session (also known as an HTTP Archive or HAR file). These files are sensitive because they include the client’s cookies and session tokens, which hackers can use to pretend to be authorized users.
“Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens,” their notice stated. In general, Okta advises sanitizing all login information, cookies, and session tokens before distributing a HAR file.
One of the Okta customers who received the notice on Thursday is the security company Beyond Trust. That alert came more than two weeks after Beyond Trust Chief Technology Officer Marc Maiffret’s company informed Okta of a potential issue.
Maiffret emphasized that none of BeyondTrust’s own clients were impacted because the company discovered the attack earlier this month as it was taking place. He said that on October 2, BeyondTrust’s security team discovered an attempt to create an all-powerful administrator account using an Okta account belonging to one of their engineers.
One of their support engineers shared one of these HAR files with Okta just 30 minutes prior to the unauthorised activity, according to BeyondTrust, which examined the activity of the employee account that attempted to create the new administrative profile.
“Our admin sent that [HAR file] over at Okta’s request, and 30 minutes after that the attacker started doing session hijacking, tried to replay the browser session, and leveraged the cookie in that browser recording to act on behalf of that user,” he claimed.
Maiffret reported that Okta was contacted again by BeyondTrust on October 3 and that the company was quite certain that Okta had been the victim of an intrusion. He confirmed this conclusion to Okta over the phone on October 11 and again on October 13.
Charlotte Wylie, Deputy Chief Information Security Officer at Okta, stated that the company initially thought BeyondTrust’s notice on October 2 was not the result of a system breach in an interview with KrebsOnSecurity. She did, however, claim that by October 17 the situation had been discovered and addressed, with the compromised customer case management account disabled and the Okta access tokens connected to it invalidated.
Wylie declined to provide the precise number of clients who received warnings about potential security problems, but said that it was a “very, very small subset” of its more than 18,000 clients.
Only a few weeks have passed since the hacks at Caesar’s Entertainment and MGM Resorts, two of the biggest names in the gambling industry. Attackers succeeded in convincing staff members to reset the multi-factor login requirements for Okta administrator accounts in both instances.
A breach from the criminal hacking gang LAPSUS$, which specialized in social engineering personnel at target companies, was revealed by Okta in March 2022. LAPSUS$ had socially engineered its way onto the workstation of a support engineer at Sitel, a third-party outsourcing firm with access to Okta resources, according to an after-action report from Okta on that incident.
Regarding the length of time the hacker might have had access to the company’s case management account or the potential perpetrators of the incident, Okta’s Wylie declined to comment. She did, however, add that the business thinks they had encountered this foe before.
We believe that this is a known threat actor who has targeted us and some Okta clients. Wylie stated.
If you enjoyed this article please share this article, it will go a long way for us. Also, subscribe to our newsletter, follow us on Facebook, Twitter, Pinterest, Google News, and Instagram for more
“Please leave your comments. Let’s us know what you think, this helps us improve our next article”
Source: fifty7tech.com