Home Cyber Security Hackers Stole Entry Tokens from Okta’s Help Unit – Krebs on Safety

Hackers Stole Entry Tokens from Okta’s Help Unit – Krebs on Safety

Hackers Stole Entry Tokens from Okta’s Help Unit – Krebs on Safety


Okta, an organization that gives id instruments like multi-factor authentication and single sign-on to 1000’s of companies, has suffered a safety breach involving a compromise of its buyer assist unit, KrebsOnSecurity has discovered. Okta says the incident affected a “very small quantity” of shoppers, nonetheless it seems the hackers accountable had entry to Okta’s assist platform for not less than two weeks earlier than the corporate absolutely contained the intrusion.

In an advisory despatched to an undisclosed variety of clients on Oct. 19, Okta mentioned it “has recognized adversarial exercise that leveraged entry to a stolen credential to entry Okta’s assist case administration system. The risk actor was capable of view recordsdata uploaded by sure Okta clients as a part of latest assist circumstances.”

Okta defined that when it’s troubleshooting points with clients it’ll usually ask for a recording of a Internet browser session (a.ok.a. an HTTP Archive or HAR file). These are delicate recordsdata as a result of they’ll embrace the shopper’s cookies and session tokens, which intruders can then use to impersonate legitimate customers.

“Okta has labored with impacted clients to analyze, and has taken measures to guard our clients, together with the revocation of embedded session tokens,” their discover continued. “Normally, Okta recommends sanitizing all credentials and cookies/session tokens inside a HAR file earlier than sharing it.”

The safety agency BeyondTrust is among the many Okta clients who acquired Thursday’s alert from Okta. BeyondTrust Chief Know-how Officer Marc Maiffret mentioned that alert got here greater than two weeks after his firm alerted Okta to a possible drawback.

Maiffret emphasised that BeyondTrust caught the assault earlier this month because it was occurring, and that none of its personal clients had been affected. He mentioned that on Oct 2., BeyondTrust’s safety group detected that somebody was making an attempt to make use of an Okta account assigned to one in every of their engineers to create an omnipotent administrator account inside their Okta atmosphere.

When BeyondTrust reviewed the exercise of the worker account that attempted to create the brand new administrative profile, they discovered that — simply half-hour previous to the unauthorized exercise — one in every of their assist engineers shared with Okta one in every of these HAR recordsdata that contained a sound Okta session token, Maiffret mentioned.

“Our admin despatched that [HAR file] over at Okta’s request, and half-hour after that the attacker began doing session hijacking, tried to replay the browser session and leverage the cookie in that browser recording to behave on behalf of that person,” he mentioned.

Maiffret mentioned BeyondTrust adopted up with Okta on Oct. 3 and mentioned they had been pretty assured Okta had suffered an intrusion, and that he reiterated that conclusion in a cellphone name with Okta on October 11 and once more on Oct. 13.

In an interview with KrebsOnSecurity, Okta’s Deputy Chief Data Safety Officer Charlotte Wylie mentioned Okta initially believed that BeyondTrust’s alert on Oct. 2 was not a results of a breach in its methods. However she mentioned that by Oct. 17, the corporate had recognized and contained the incident — disabling the compromised buyer case administration account, and invalidating Okta entry tokens related to that account.

Wylie declined to say precisely what number of clients acquired alerts of a possible safety subject, however characterised it as a “very, very small subset” of its greater than 18,000 clients.

The disclosure from Okta comes simply weeks after on line casino giants Caesar’s Leisure and MGM Resorts had been hacked. In each circumstances, the attackers managed to social engineer staff into resetting the multi-factor login necessities for Okta administrator accounts.

In March 2022, Okta disclosed a breach from the hacking group LAPSUS$, which specialised in social-engineering staff at focused corporations. An after-action report from Okta on that incident discovered that LAPSUS$ had social engineered its manner onto the workstation of a assist engineer at Sitel, a third-party outsourcing firm that had entry to Okta sources.

Okta’s Wylie declined to reply questions on how lengthy the intruder might have had entry to the corporate’s case administration account, or who might need been answerable for the assault. Nevertheless, she did say the corporate believes that is an adversary they’ve seen earlier than.

“This can be a recognized risk actor that we imagine has focused us and Okta-specific clients,” Wylie mentioned.

Replace, 2:57 p.m. ET: Okta has printed a weblog publish about this incident that features some “indicators of compromise” that clients can use to see in the event that they had been affected. However the firm confused that “all clients who had been impacted by this have been notified. Should you’re an Okta buyer and you haven’t been contacted with one other message or technique, there is no such thing as a influence to your Okta atmosphere or your assist tickets.”

Replace, 3:36 p.m. ET: BeyondTrust has printed a weblog publish about their findings.

Replace, Oct. 24, 10:20 a.m. ET: 1Password and Cloudflare have disclosed compromises of their Okta authentication platforms on account of the Okta breach. Each corporations say an investigation has decided no buyer info or methods had been affected. In the meantime, an Okta spokesperson advised TechCrunch that the corporate notified about 1 p.c of its buyer base (~170 clients), so we’re more likely to see extra such disclosures within the days and weeks forward.



Please enter your comment!
Please enter your name here