Okta, a US-based cloud identity and access management company, recently announced that an unnamed threat actor breached its support management system using stolen credentials. The threat actor used this access to swipe cookies and sessions, which then led to the hijacking of accounts belonging to Okta customers.
The breach was first discovered by one of Okta’s affected customers, BeyondTrust, whose security team detected and blocked attempts to log in to BeyondTrust’s Okta administrator account using a cookie stolen from Okta’s support system.
According to BeyondTrust, forensic data was provided to Okta to show that its support system was compromised, however, Okta didn’t act until two weeks later. At this point, other victims began coming forward, having also detected the breach on their own.
Source: Bleeping Computer
Analysis
Cloud identity and access management (IAM) solutions allow users to securely access various apps from various devices. Okta has emerged as one of the leading IAM vendors, providing users with a convenient and secure way to access the ever-growing suite of programs and applications knowledge workers need to do their jobs.
However, the last few years have been tough for Okta security-wise. In 2022, Okta announced that some of its customers’ data had been breached by the extortion threat group, Lapsus$.
The same year, Scattered Swine, a financially motivated threat actor group, was able to intercept one-time passwords destined for Okta customers via SMS, resulting in the compromise of cloud communications company, Twilio.
Mitigation
According to Okta, all customers who were impacted by this breach have been notified. If your organization uses Okta and it has not been contacted, there is no impact to your Okta environment or your support tickets.
For those affected, Okta is advising to revoke session tokens embedded in shared HAR files. Okta also recommends sanitizing HAR files before sharing them in the support management system to ensure they don't include credentials and cookies/session tokens.
Related articles
