The perpetrator gained unauthorized access to customer support tickets and files that contained confidential information. Okta refrained from disclosing the number of consumers affected.
A malicious actor successfully gained unauthorized access to an administrative account within the Okta support system by utilizing a stolen credential. This incident happened making Okta Again Under Attack making this second series of attacks against the identity and access management provider, as well as its customers’ Okta environments, since late July.
According to a blog post by Okta CSO David Bradbury, the individual responsible for the security breach accessed files that included confidential information. These files have been provided by certain customers in relation to recent support issues.
Okta refrained from disclosing the specific number of clients affected by the attack. This incident occurred about two months subsequent to four of its customers experiencing social engineering attacks, which resulted in the compromise of accounts belonging to individuals with elevated privileges.
Several weeks after the occurrence, individuals associated with the ransomware attack targeting MGM Resorts in early September asserted that they had gained unauthorized access to the company’s Okta environment prior to executing the operation.
The initial detection of the identity-based assault was made by the security team at BeyondTrust, who subsequently communicated their apprehensions regarding a potential breach to Okta on October 2nd. According to a blog post by BeyondTrust CTO Marc Maiffret, Okta’s security team did not engage in a meeting with BeyondTrust, a client impacted by the attack, until October 11. The internal breach was subsequently acknowledged by Okta’s security team on Thursday.
The temporal disparity between BeyondTrust’s identification of an assailant attempting to breach an internal Okta administrator account and the subsequent verification and public acknowledgment by Okta implies that the malicious actor may have had unauthorized entry into Okta’s support system for a duration exceeding fourteen days.
According to Bradbury’s statement in the blog post, Okta has collaborated with affected clients to conduct an investigation and has implemented actions to safeguard their customers, such as the revocation of embedded session tokens.
Okta refrained from providing detailed responses and instead referred to Bradbury’s statement regarding the incident.
The analysis conducted by BeyondTrust concluded that the threat actor managed to obtain a session cookie. This cookie was obtained via a support ticket that contained sensitive information. BeyondTrust had published this ticket to Okta’s help panel as part of an ongoing issue.
According to Maiffret’s blog post, the malevolent actor made an endeavor to execute operations within the BeyondTrust Okta environment within a time frame of thirty minutes subsequent to the uploading of the HTTP Archive file.
According to Maiffret, the threat actor’s access to the Okta console was obstructed by a security policy configuration that deviated from the default settings. However, the attacker managed to circumvent this obstacle by utilizing Okta’s admin API to establish a user account that served as a covert entry point. This account was promptly deactivated by the security team at BeyondTrust.
According to Okta, all customers who have been affected have received notifications. Additionally, Bradbury underlined that the support case management system is distinct from the operating Okta service environment, which remains completely functional and unaffected.
The single sign-on provider is a prominent and frequently targeted entity in the realm of cyberattacks. Last year, Okta had a phishing assault, a breach, and the theft of its GitHub source code.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM. Naager entered the field of content in an unusual way. He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts. He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field. In the bottom line, he frequently writes for Craw Security.
READ MORE ARTICLE HERE