Flash Notice: UPDATE - Okta Breached via Stolen Credentials - CloudFlare, 1Password, & BeyondTrust Also Impacted

UPDATE (11/29/2023) - 

Last month, Avertium published a flash notice warning users of a critical breach impacting Okta Inc. This week, the company has a stated that the threat actors behind the breach stole a file containing information on all users of its customer support system.  

Okta informed its customers that threat actors obtained a report containing data, such as names and email addresses, of all clients utilizing its customer support system. Additionally, a notable portion of the affected users are administrators, with 6% of them not having activated multi-factor authentication to guard against unauthorized login attempts. 

While Okta stated that there is no known evidence that the stolen data was exploited, they have notified all of their customers that the report is a security risk for phishing and social engineering.  Okta further stated that user credentials have not been exposed. Avertium’s recommendations from October still apply.  

overview

Okta Inc., an identity and access management company, disclosed its most recent security breach this week. According to the official statement released by Okta, the breach involved "adversarial activity leveraging access to a stolen credential to infiltrate Okta's support case management system." The threat actor, using the stolen credentials, managed to access files uploaded by specific Okta customers as part of recent support cases. 

It's important to note that the compromised support case system is different from the main Okta production service, which remains unaffected by this breach. Additionally, Okta's Auth0/CIC case management system was not impacted by the security breach. 

Okta has already notified and is cooperating with customers that were impacted. In this breach, attackers gained access to files containing cookies and session tokens uploaded by customers to Okta's support management system. Therefore, Okta advises all customers to sanitize their credentials and cookies/session tokens within an HAR file before sharing it. Okta did not disclose the number of customers impacted or how the stolen credentials were obtained. 

The situation has taken an interesting turn, as one affected customer, BeyondTrust Corp., publicly shared its experience, revealing a concerning lack of responsiveness from Okta. BeyondTrust detected an identity-centric attack on an in-house Okta administrator account on October 2 but received no acknowledgment from Okta until October 19, despite timely alerts to the potential breach. 

Cloudflare Inc. has also come forward, reporting that it detected attacks on its systems on October 18, which were traced back to Okta. While Cloudflare successfully protected its customers, the company raised concerns about Okta's response time. 1Password has also been affected by the Okta breach. The company's Chief Technology Officer, Pedro Canahuati, stated that they detected suspicious activity on September 29 on an employee-facing app, but they were able to terminate the activity immediately. 1Password also successfully protected its employees, with no compromise of user data. 

This is the second breach that Okta has faced within a two-year span. The company was the victim of an attack via Lapsus$ in March 2022. Internal documents were stolen in that attack, and the breach was not disclosed until much later. Please see Avertium’s recommendations below.  

avertium's recommendationS

• As stated above, it is highly recommended that all customers to sanitize their credentials and cookies/session tokens within an HAR file before sharing it. 
  • According to Okta, HTTP Archive (HAR) is a format used to track information that travels between web browsers and websites. Access Gateway primarily uses HAR files to replicate end user or administrator errors.  
  • You may find guidance on how to generate an HAR file in Chrome, Firefox, and Safari via Okta’s Help Center documentation. 
• Okta also recommends referring to their previously published advice on how to search System Log for any suspicious sessions, users, or IP Addresses.  
• Implementing MFA 

INDICATORS OF COMPROMISE (IoCs)

IP Addresses  

• 23[.]105[.]182[.]19 
• 104[.]251[.]211[.]122 
• 202[.]59[.]10[.]100 
• 162[.]210[.]194[.]35 (BROWSEC VPN) 
• 198[.]16[.]66[.]124 (BROWSEC VPN) 
• 198[.]16[.]66[.]156 (BROWSEC VPN) 
• 198[.]16[.]70[.]28 (BROWSEC VPN) 
• 198[.]16[.]74[.]203 (BROWSEC VPN) 
• 198[.]16[.]74.204 (BROWSEC VPN) 
• 198[.]16[.]74[.]205 (BROWSEC VPN) 
• 198[.]98[.]49[.]203 (BROWSEC VPN) 
• 2[.]56[.]164[.]52 (NEXUS PROXY) 
• 207[.]244[.]71[.]82 (BROWSEC VPN) 
• 207[.]244[.]71[.]84 (BROWSEC VPN) 
• 207[.]244[.]89[.]161 (BROWSEC VPN) 
• 207[.]244[.]89[.]162 (BROWSEC VPN) 
• 23[.]106[.]249[.]52 (BROWSEC VPN) 
• 23[.]106[.]56[.]11 (BROWSEC VPN) 
• 23[.]106[.]56[.]21 (BROWSEC VPN) 
• 23[.]106[.]56[.]36 (BROWSEC VPN) 
• 23[.]106[.]56[.]37 (BROWSEC VPN) 
• 23[.]106[.]56[.]38 (BROWSEC VPN) 
• 23[.]106[.]56[.]54 (BROWSEC VPN) 

User Agents  

Okta’s published announcement from the company’s Chief Security Officer, David Bradbury, states the following regarding User Agents:  

“While the following user-agents are legitimate, they may be rare in your environment given the release of Chrome 99 in March 2022.” 

• Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36 (Legitimate, but older user-agent) 
• Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.83 Safari/537.36 (Legitimate, but older user-agent) 

How Avertium is Protecting Our CUSTOMERS

• Avertium recommends utilizing our service for DFIR (Digital Forensics and Incident Response) to help you rapidly assess, contain, eradicate, and recover from a security incident like a malware attack. 
• Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.  
• Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:  
  • Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment). 
  •  Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK). 
  • Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan). 

SUPPORTING DOCUMENTATION