Context over chaos. Disconnected technologies, siloed data, and reactive processes can only get you so far. Protecting businesses in today’s threat landscape demands more than a set of security tools – it requires context.
That's where Avertium comes in
Security. It’s in our DNA. It’s elemental, foundational. Something that an always-on, everything’s-IoT-connected world depends on.
Helping mid-to-enterprise organizations protect assets and manage risk is our only business. Our mission is to make our customers’ world a safer place so that they may thrive in an always-on, connected world.
Best-in-class technology from our partners... backed by service excellence from Avertium.
Interested in becoming a partner?
With Avertium's deal registration, partners can efficiently and confidently connect with Avertium on opportunities to protect your deals.
Microsoft Copilot for Security analyzes and synthesizes high volumes of security data which can help healthcare cybersecurity teams do more with less.
Dive into our resource hub and explore top
cybersecurity topics along with what we do
and what we can do for you.
Last month, Avertium published a flash notice warning users of a critical breach impacting Okta Inc. This week, the company has a stated that the threat actors behind the breach stole a file containing information on all users of its customer support system.
Okta informed its customers that threat actors obtained a report containing data, such as names and email addresses, of all clients utilizing its customer support system. Additionally, a notable portion of the affected users are administrators, with 6% of them not having activated multi-factor authentication to guard against unauthorized login attempts.
While Okta stated that there is no known evidence that the stolen data was exploited, they have notified all of their customers that the report is a security risk for phishing and social engineering. Okta further stated that user credentials have not been exposed. Avertium’s recommendations from October still apply.
overview
Okta Inc., an identity and access management company, disclosed its most recent security breach this week. According to the official statement released by Okta, the breach involved "adversarial activity leveraging access to a stolen credential to infiltrate Okta's support case management system." The threat actor, using the stolen credentials, managed to access files uploaded by specific Okta customers as part of recent support cases.
It's important to note that the compromised support case system is different from the main Okta production service, which remains unaffected by this breach. Additionally, Okta's Auth0/CIC case management system was not impacted by the security breach.
Okta has already notified and is cooperating with customers that were impacted. In this breach, attackers gained access to files containing cookies and session tokens uploaded by customers to Okta's support management system. Therefore, Okta advises all customers to sanitize their credentials and cookies/session tokens within an HAR file before sharing it. Okta did not disclose the number of customers impacted or how the stolen credentials were obtained.
The situation has taken an interesting turn, as one affected customer, BeyondTrust Corp., publicly shared its experience, revealing a concerning lack of responsiveness from Okta. BeyondTrust detected an identity-centric attack on an in-house Okta administrator account on October 2 but received no acknowledgment from Okta until October 19, despite timely alerts to the potential breach.
Cloudflare Inc. has also come forward, reporting that it detected attacks on its systems on October 18, which were traced back to Okta. While Cloudflare successfully protected its customers, the company raised concerns about Okta's response time. 1Password has also been affected by the Okta breach. The company's Chief Technology Officer, Pedro Canahuati, stated that they detected suspicious activity on September 29 on an employee-facing app, but they were able to terminate the activity immediately. 1Password also successfully protected its employees, with no compromise of user data.
This is the second breach that Okta has faced within a two-year span. The company was the victim of an attack via Lapsus$ in March 2022. Internal documents were stolen in that attack, and the breach was not disclosed until much later. Please see Avertium’s recommendations below.
INDICATORS OF COMPROMISE (IoCs)
IP Addresses
User Agents
Okta’s published announcement from the company’s Chief Security Officer, David Bradbury, states the following regarding User Agents:
“While the following user-agents are legitimate, they may be rare in your environment given the release of Chrome 99 in March 2022.”
SUPPORTING DOCUMENTATION
Tracking Unauthorized Access to Okta's Support System | Okta Security
Okta says its support system was breached using stolen credentials (bleepingcomputer.com)
User Sign-in and Recovery Events in the Okta System Log | Okta Security
Okta shares drop after identity company discloses yet another data breach - SiliconANGLE
1Password also affected by Okta Support System breach - Help Net Security
How Cloudflare mitigated yet another Okta compromise
Okta says hackers stole data for all customer support users in cyber breach | Reuters
October Customer Support Security Incident - Update and Recommended Actions | Okta Security