Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Hackers breach Okta’s support systems using stolen credentials

A cyber attack on security and user authentication service provider Okta has led to threat actors gaining access to the company’s support system and a number of authentication tokens.

user icon Daniel Croft
Tue, 24 Oct 2023
Hackers breach Okta’s support systems using stolen credentials
expand image

The company has issued a statement saying that the threat actors gained access to the company’s support system through stolen credentials.

“Okta Security has identified adversarial activity that leveraged access to a stolen credential to access Okta’s support case management system,” said Okta chief security officer David Bradbury.

“The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases.”

============
============

The system targeted in the attack was responsible for storing customer HTTP Archive (HAR) files, which are responsible for tracking data relating to website interactions and contain sensitive data collected during web browser activity, including personal information, IP addresses, URLs, cookies and authentication tokens.

Access to these files could allow a threat actor to abuse financial information, hijack web sessions, steal credentials, or potentially launch phishing attacks or engage in identity theft.

“It should be noted that the Okta support case management system is separate from the production Okta service, which is fully operational and has not been impacted,” added Bradbury, who said that the Auth0/CIC case management system is safe.

“All customers who were impacted by this have been notified,” he continued.

“If you’re an Okta customer and you have not been contacted with another message or method, there is no impact to your Okta environment or your support tickets.”

The breach has resulted in other organisations being targeted, such as password management platform 1Password announcing its Okta environment had been breached.

“We detected suspicious activity on our Okta instance related to their support system incident. After a thorough investigation, we concluded that no 1Password user data was accessed,” the company said in a brief statement.

News of the breach was first made public by Cloudflare on 18 October, which had also flagged attacks on its own system that it was able to “trace back to Okta”.

While Cloudflare itself was unaffected by the incident due to a swift response from its security teams, it pointed out that Okta was first made aware of the issue on 2 October, over two weeks before.

Cloudflare provided Okta with a number of recommendations to improve its cyber response in the future, heavily suggesting that the company improve its response and disclosure times.

“Take any report of compromise seriously and act immediately to limit damage; in this case, Okta was first notified on October 2, 2023 by BeyondTrust, but the attacker still had access to their support systems at least until October 18, 2023,” it said.

Cloudflare has reason to be frustrated with Okta. The latter suffered another cyber attack last year in March, which also led to Cloudflare being impacted.

The company uses Okta for employee identity as part of its authentication stack. While it was able to mitigate any impact as a result, the recent beach now marks the second time that Cloudflare has had to act fast as a result of Okta.

Threat actors have utilised Okta as part of cyber attacks on other organisations in the past. Only last month, infamous ransomware syndicate ALPHV launched an attack on casino giant MGM Resorts after it gained access to its Okta environment.

ALPHV had been “lurking on their Okta Agent servers sniffing passwords of people whose passwords couldn’t be cracked from their domain controller hash dumps”, the group said. It was then they were discovered, and MGM shut down every one of its Okta Sync servers.

Despite this, ALPHV maintained access to MGM’s network, with super admin privileges to the company’s Okta servers and global admin privileges to its Azure tenant.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.