Okta, the identity services provider, recently disclosed a security incident where unidentified threat actors exploited stolen credentials to gain access to its support case management system.
Details about the Breach
This unauthorized access allowed the threat actor to view files uploaded by specific Okta customers as part of recent support cases.
This support case management system operates independently from Okta’s core production service, which remains unaffected and fully operational.
Support System’s Role in Troubleshooting
The incident did not impact Okta’s Auth0/CIC case management system, and the company promptly informed the affected customers.
However, the customer support system serves the purpose of uploading HTTP Archive (HAR) files, primarily for replicating end-user or administrator errors for troubleshooting.
HAR files may contain sensitive information, such as cookies and session tokens, which can be exploited by malicious actors to impersonate legitimate users. Okta has taken proactive steps to revoke embedded session tokens to prevent misuse.
Technical Details Still Unknown
Despite the disclosure, Okta has not provided specific details regarding the unauthorized access’s scale, timing, or detection date. As of March 2023, Okta boasts more than 17,000 customers and manages approximately 50 billion users.
Image Description: Timeline of Okta Breach
Targeted Companies: BeyondTrust and Cloudflare
BeyondTrust and Cloudflare have confirmed their targeting in this recent support system breach. In the case of Cloudflare, the threat actor managed to hijack a session token from a support ticket created by one of their employees, accessing Cloudflare systems on October 18.
This was deemed a sophisticated attack, with the threat actor compromising two separate Cloudflare employee accounts within the Okta platform, no customer information or systems were breached during this incident.
BeyondTrust, on the other hand, reported the breach to Okta on October 2, 2023. The subsequent attack on Cloudflare implies that the threat actor retained access to their support systems until at least October 18, 2023.
In BeyondTrust’s case, suspicious activity related to a session cookie was detected within 30 minutes of uploading a HAR file to the system on October 2.
Thankfully, the attempted attacks against BeyondTrust were controlled effectively, with no impact or exposure to their infrastructure or customer data.
This incident represents the latest in a series of security challenges Okta has faced over recent years. The company, known for its single sign-on (SSO) services, has become an attractive target for malicious entities due to its association with some of the world’s largest enterprises.
Lessons Learnt
The recent security breach in Okta’s support system highlights the persistent challenges that this identity services provider faces in safeguarding sensitive customer data.
As the company moves towards its latest challenge, stakeholders, from customers to investors, will be closely observing Okta’s response, the lessons learned, and the measures taken to enhance its security posture.
We also need to be secure and resilient!
Anas Hasan
October 23, 2023
2 years ago
