Hackers Stole Access Tokens from Oktas Support Unit Krebs on Security
pOkta a company that provides identity tools like multifactor authentication and single signon to thousands of businesses has suffered a security breach involving a compromise of its customer support unit KrebsOnSecurity has learned Okta says the incident affected a very small number of customers however it appears the hackers responsible had access to Oktas support platform for at least two weeks before the company fully contained the intrusionppppIn an advisory sent to an undisclosed number of customers on Oct 19 Okta said it has identified adversarial activity that leveraged access to a stolen credential to access Oktas support case management system The threat actor was able to view files uploaded by certain Okta customers as part of recent support casesppOkta explained that when it is troubleshooting issues with customers it will often ask for a recording of a Web browser session aka an HTTP Archive or HAR file These are sensitive files because they can include the customers cookies and session tokens which intruders can then use to impersonate valid usersppOkta has worked with impacted customers to investigate and has taken measures to protect our customers including the revocation of embedded session tokens their notice continued In general Okta recommends sanitizing all credentials and cookiessession tokens within a HAR file before sharing itppThe security firm BeyondTrust is among the Okta customers who received Thursdays alert from Okta BeyondTrust Chief Technology Officer Marc Maiffret said that alert came more than two weeks after his company alerted Okta to a potential problemppMaiffret emphasized that BeyondTrust caught the attack earlier this month as it was happening and that none of its own customers were affected He said that on Oct 2 BeyondTrusts security team detected that someone was trying to use an Okta account assigned to one of their engineers to create an allpowerful administrator account within their Okta environmentppWhen BeyondTrust reviewed the activity of the employee account that tried to create the new administrative profile they found that just 30 minutes prior to the unauthorized activity one of their support engineers shared with Okta one of these HAR files that contained a valid Okta session token Maiffret saidppOur admin sent that HAR file over at Oktas request and 30 minutes after that the attacker started doing session hijacking tried to replay the browser session and leverage the cookie in that browser recording to act on behalf of that user he saidppMaiffret said BeyondTrust followed up with Okta on Oct 3 and said they were fairly confident Okta had suffered an intrusion and that he reiterated that conclusion in a phone call with Okta on October 11 and again on Oct 13ppIn an interview with KrebsOnSecurity Oktas Deputy Chief Information Security Officer Charlotte Wylie said Okta initially believed that BeyondTrusts alert on Oct 2 was not a result of a breach in its systems But she said that by Oct 17 the company had identified and contained the incident disabling the compromised customer case management account and invalidating Okta access tokens associated with that accountppWylie declined to say exactly how many customers received alerts of a potential security issue but characterized it as a very very small subset of its more than 18000 customersppThe disclosure from Okta comes just weeks after casino giants Caesars Entertainment and MGM Resorts were hacked In both cases the attackers managed to social engineer employees into resetting the multifactor login requirements for Okta administrator accountsppIn March 2022 Okta disclosed a breach from the hacking group LAPSUS which specialized in socialengineering employees at targeted companies An afteraction report from Okta on that incident found that LAPSUS had social engineered its way onto the workstation of a support engineer at Sitel a thirdparty outsourcing company that had access to Okta resourcesppOktas Wylie declined to answer questions about how long the intruder may have had access to the companys case management account or who might have been responsible for the attack However she did say the company believes this is an adversary they have seen beforeppThis is a known threat actor that we believe has targeted us and Oktaspecific customers Wylie saidppUpdate 257 pm ET Okta has published a blog post about this incident that includes some indicators of compromise that customers can use to see if they were affected But the company stressed that all customers who were impacted by this have been notified If youre an Okta customer and you have not been contacted with another message or method there is no impact to your Okta environment or your support ticketsppUpdate 336 pm ET BeyondTrust has published a blog post about their findingsppUpdate Oct 24 1020 am ET 1Password and Cloudflare have disclosed compromises of their Okta authentication platforms as a result of the Okta breach Both companies say an investigation has determined no customer information or systems were affected Meanwhile an Okta spokesperson told TechCrunch that the company notified about 1 percent of its customer base 170 customers so we are likely to see more such disclosures in the days and weeks aheadpp
This entry was posted on Friday 20th of October 2023 0239 PM
ppWonder if Okta filed with the SECppNot sure but their URL is interestingppsecoktacomppThinking about all these data breaches that are basically called insubstantial by the compromised entity there needs to be cash bond put up for two years with a third party for the total number of accounts which might have been compromised If there is indeed no exploitation or damage in that time the compromised entity gets the money back But if the hackers do get customer data then customer is entitled to a payment from escrow Rate should be meaningful but not excessive say 5 per UTF character of customer data That metered approach also encourages the entities to guard partition data at rest betterppHow were Oktas credentials stolen this time What was the entry point for this particular attack I dont see it covered anywhere Im confident we can assume an employee or two was compromised due to poor security controls but we need to have it confirmed if people are to know what they need to protectppPerhaps its similar to the March 2022 incident where access was gained by social engineering into a thirdparty workstation that had full access into Oktas systems ppYet another pitfall of outsourcing they save a little money but lose control over the 3rd partys training and controls And the losses financial and image are far greater than the few dollars they thought they were saving ppThe weakest link in the chain is often that third partyppIt is interesting where they say that the Okta support system was compromised However could not see any mention of how it was compromised what was the attack vector etc what is said in all the blog posts and writeups and disclosures are the HAR file that is sent by their customers to the support system which gives the attacker all the confidential information of the Okta customer contained in the HAR file ppIn other words if the attacker had seamless access to the support system I think we should go with the assumption that information in the support tickets for all Okta clients would have been touched and exfiltered by the attacker given that they had access to it for 2 weeksppsecurityweek comoktahackblamedonemployeeusingpersonalgoogleaccountoncompanylaptoppp compromise of the employees personal Google account or personal deviceppBradbury fessed up to a failure of internal controls to spot the breach For a period of 14 days while actively investigating Okta did not identify suspicious downloads in our logs When a user opens and views files attached to a support case a specific log event type and ID is generated tied to that file If a user instead navigates directly to the Files tab in the customer support system as the threat actor did in this attack they will instead generate an entirely different log event with a different record IDppDoh Librarians fighting crimeppIsnt Okta the authentication scheme for ISC2 now HilariousppUntil March 2022 Todd Oktas CEO was accessing Okta systems with his personal noncorp laptop He thought this was hilarious and made jokes about it at our company allhandsppI had never worked at a company where security was taken so casually Yubikey for employees Nope It wasnt until mid2023 that employees were no longer allowed to add external accounts to internal documents managed by Google Workspace Our migration to GitHub Enterprise didnt happen until JulyAugust 2023 ppThe organization has so many problems and this latest customerfacing escapade is no surpriseppvery very small subset of its 18000 customers Why reveal one number and not the other Typical damage controlturnedmarketing tacticppThe experience BeyondTrust had is also typical of situations where Ive tried to report possible breaches Everyone has so many layers of insulation between the rare person you can reach and someone that can actually understand what youre telling them or beyond that care its no wonder threat actors have so much time to explore and exploit breached systems Security is everyones job and everyone needs to be aware that any incident could just be the tip of an iceberg Theres especially no excuse for it in the case of a company thats in the security industryppWow CloudFlares blog is great Talk about throwing welldeserved shade at Okta Im guessing theyve decided it may be time to dump OktappWe have seen a number of intrusions in which the intruders got in through trusted contractors For example there were 22 municipalities in Texas hit by ransomware a few years ago It seems more likely than not that the attackers got in through a trusted third partyppMy small company has been approached by vendors trying to sell their security services Being as we are small and have no need for employees to connect via a VPN it is generally much simpler to block all external attempts to connect to our firewall That still leaves things like phishing attacks but we hammer in regularly not to click on links in emailppOur last issue in our office network was through an outside vendor who told everyone that he was a security guru but was completely clueless about security The most clueless thing he ever did was bring in a firewall for our network and then connected it backwards wan lan lan wan and so nothing could get through in either direction He refused to test it before leaving but I insisted on testing it first so it only stayed connected about 15 minutes and he never tried to reconnect itppWhen I took the firewall to my office and checked it out it quickly became clear that it had the default password and rules The only thing the rules did was to block someone from spoofing our network Naturally plugged in backwards it saw any traffic from our network as being spoofed and dropped itpp1Password mentions a suspicious IP but neither 1Password nor Cloudfare identifies IPs involved in the incident Okta does list IPs in their posting which includes the IPs mentioned by BeyondTrust I hope that Okta collected the IPs used to attack their customers and continues publishing them I wish the sites attacked published the sources of the attacks ppVPNs are used for three distinct purposes 1 Encrypt your traffic fromto your device tofrom a trusted VPN server to avoid interception 2 Hide your source IP from your destination 3 Access sites from a trusted address for instance a corporate VPN that subscribes to services or gives access to inside a firewall For those VPN users for which purpose 2 is unnecessary I wish there were a protocol so that the VPN server could provide an identification service to identify the original source IP to the destination host Chaining through VPNs as needed Then a site could choose to permit or block a connection from a VPN server as to whether the source IP was available and trustedppYour email address will not be published Required fields are marked ppComment ppName ppEmail ppWebsite pp
ppppΔdocumentgetElementById akjs1 setAttribute value new Date getTime ppMailing ListppSearch KrebsOnSecurityppRecent PostsppStory CategoriesppWhy So Many Top Hackers Hail from Russiap
This entry was posted on Friday 20th of October 2023 0239 PM
ppWonder if Okta filed with the SECppNot sure but their URL is interestingppsecoktacomppThinking about all these data breaches that are basically called insubstantial by the compromised entity there needs to be cash bond put up for two years with a third party for the total number of accounts which might have been compromised If there is indeed no exploitation or damage in that time the compromised entity gets the money back But if the hackers do get customer data then customer is entitled to a payment from escrow Rate should be meaningful but not excessive say 5 per UTF character of customer data That metered approach also encourages the entities to guard partition data at rest betterppHow were Oktas credentials stolen this time What was the entry point for this particular attack I dont see it covered anywhere Im confident we can assume an employee or two was compromised due to poor security controls but we need to have it confirmed if people are to know what they need to protectppPerhaps its similar to the March 2022 incident where access was gained by social engineering into a thirdparty workstation that had full access into Oktas systems ppYet another pitfall of outsourcing they save a little money but lose control over the 3rd partys training and controls And the losses financial and image are far greater than the few dollars they thought they were saving ppThe weakest link in the chain is often that third partyppIt is interesting where they say that the Okta support system was compromised However could not see any mention of how it was compromised what was the attack vector etc what is said in all the blog posts and writeups and disclosures are the HAR file that is sent by their customers to the support system which gives the attacker all the confidential information of the Okta customer contained in the HAR file ppIn other words if the attacker had seamless access to the support system I think we should go with the assumption that information in the support tickets for all Okta clients would have been touched and exfiltered by the attacker given that they had access to it for 2 weeksppsecurityweek comoktahackblamedonemployeeusingpersonalgoogleaccountoncompanylaptoppp compromise of the employees personal Google account or personal deviceppBradbury fessed up to a failure of internal controls to spot the breach For a period of 14 days while actively investigating Okta did not identify suspicious downloads in our logs When a user opens and views files attached to a support case a specific log event type and ID is generated tied to that file If a user instead navigates directly to the Files tab in the customer support system as the threat actor did in this attack they will instead generate an entirely different log event with a different record IDppDoh Librarians fighting crimeppIsnt Okta the authentication scheme for ISC2 now HilariousppUntil March 2022 Todd Oktas CEO was accessing Okta systems with his personal noncorp laptop He thought this was hilarious and made jokes about it at our company allhandsppI had never worked at a company where security was taken so casually Yubikey for employees Nope It wasnt until mid2023 that employees were no longer allowed to add external accounts to internal documents managed by Google Workspace Our migration to GitHub Enterprise didnt happen until JulyAugust 2023 ppThe organization has so many problems and this latest customerfacing escapade is no surpriseppvery very small subset of its 18000 customers Why reveal one number and not the other Typical damage controlturnedmarketing tacticppThe experience BeyondTrust had is also typical of situations where Ive tried to report possible breaches Everyone has so many layers of insulation between the rare person you can reach and someone that can actually understand what youre telling them or beyond that care its no wonder threat actors have so much time to explore and exploit breached systems Security is everyones job and everyone needs to be aware that any incident could just be the tip of an iceberg Theres especially no excuse for it in the case of a company thats in the security industryppWow CloudFlares blog is great Talk about throwing welldeserved shade at Okta Im guessing theyve decided it may be time to dump OktappWe have seen a number of intrusions in which the intruders got in through trusted contractors For example there were 22 municipalities in Texas hit by ransomware a few years ago It seems more likely than not that the attackers got in through a trusted third partyppMy small company has been approached by vendors trying to sell their security services Being as we are small and have no need for employees to connect via a VPN it is generally much simpler to block all external attempts to connect to our firewall That still leaves things like phishing attacks but we hammer in regularly not to click on links in emailppOur last issue in our office network was through an outside vendor who told everyone that he was a security guru but was completely clueless about security The most clueless thing he ever did was bring in a firewall for our network and then connected it backwards wan lan lan wan and so nothing could get through in either direction He refused to test it before leaving but I insisted on testing it first so it only stayed connected about 15 minutes and he never tried to reconnect itppWhen I took the firewall to my office and checked it out it quickly became clear that it had the default password and rules The only thing the rules did was to block someone from spoofing our network Naturally plugged in backwards it saw any traffic from our network as being spoofed and dropped itpp1Password mentions a suspicious IP but neither 1Password nor Cloudfare identifies IPs involved in the incident Okta does list IPs in their posting which includes the IPs mentioned by BeyondTrust I hope that Okta collected the IPs used to attack their customers and continues publishing them I wish the sites attacked published the sources of the attacks ppVPNs are used for three distinct purposes 1 Encrypt your traffic fromto your device tofrom a trusted VPN server to avoid interception 2 Hide your source IP from your destination 3 Access sites from a trusted address for instance a corporate VPN that subscribes to services or gives access to inside a firewall For those VPN users for which purpose 2 is unnecessary I wish there were a protocol so that the VPN server could provide an identification service to identify the original source IP to the destination host Chaining through VPNs as needed Then a site could choose to permit or block a connection from a VPN server as to whether the source IP was available and trustedppYour email address will not be published Required fields are marked ppComment ppName ppEmail ppWebsite pp
ppppΔdocumentgetElementById akjs1 setAttribute value new Date getTime ppMailing ListppSearch KrebsOnSecurityppRecent PostsppStory CategoriesppWhy So Many Top Hackers Hail from Russiap
