Okta Breach overview

Okta Support System was compromised, allowing unauthorized access to the sensitive HTTP Archive (HAR) files uploaded by the Customers. HAR Files contain sensitive data like Session Token, which the Okta Support team uses for impersonation. The Threat Actor used HAR Files to gain access to the system.

In March 2022, Okta disclosed an internal system breach from the hacking group LAPSUS$. In a recent attack, the Okta team has not yet revealed the name of the threat actor, but they believe this is an adversary they have seen before. 
​

Timeline

Date	Notes
Oct 2nd 2023	BeyondTrust detected an identity-centric attack which led them to believe that Okta was Compromised
Oct 3rd 2023	​Asked Okta support to escalate to Okta security team given initial forensics pointing to a compromise within Okta support organization
Oct 11th 2023	​Held Zoom sessions with Okta security team to explain why we believed they might be compromised
Oct 18th 2023	Cloudflare detected the attack and tracked it back to Okta. Cloudflare contained the attack and informed Okta about it. Source: Cloudflare blog
Oct 19th 2023	​​Okta Confirmed the Breach, and Approximately 170 Okta Customers were impacted, including Cloudflare, BeyondTrust, and 1Password

Attacker Techniques - Kill Chain

• The attacker used an open session from Okta with Administrative privileges and accessed our Okta instance.
• Threat-actor accessed Okta’s customer support system and viewed files uploaded by specific Okta customers as part of recent support cases.
• Okta said the most likely avenue for exposure of this credential is the compromise of the employee’s personal Google account or personal device.​
• ​The threat actor was able to use these session tokens to hijack the legitimate Okta sessions of 5 customers
  

Supply Chain Breaches

• 1Password: On September 29, 2023 an IT team member received an unexpected email notification suggesting they had initiated an Okta report containing a list of admins. They recognized that they hadn’t initiated the admin report and alerted our security incident response team.
  Preliminary investigations revealed activity in our Okta environment was sourced by a
  suspicious IP address and was later confirmed that a threat actor had accessed our Okta tenant
  with administrative privileges.
  • ​​Incident Report
• Cloudflare: The threat actor was able to hijack a session token from a support ticket created by a Cloudflare employee. Using the token extracted from Okta, the threat actor accessed Cloudflare systems on October 18. The threat actor also compromised two separate Cloudflare employee accounts within the Okta platform

Recommendations

• Enable Hardware MFA for all user accounts to prevent initial access. However, In this case, Okta has not revealed the techniques used by threat actors to gain initial access.,
• Build out a strong threat detection program.

Questions for CISO's & Security LEaders?

• Should you allow employees to use personal accounts on corporate-issued devices? If yes, How will you justify the productivity vs security discussion?
• Okta is a single point of failure for most of the companies. What will be your BCP Strategy in case of Okta's full compromise?