Identification and entry administration tech agency Okta on Friday warned that hackers broke into its assist case administration system and stole delicate information that can be utilized to impersonate legitimate customers.
A security discover from Okta security chief David Bradbury stated the corporate discovered “adversarial exercise” that leveraged entry to a stolen credential to entry the assist case administration system.
“The menace actor was in a position to view information uploaded by sure Okta clients as a part of latest assist instances,” Bradbury stated, cautioning that the stolen information consists of delicate cookies and session tokens for extra assaults.
From the Okta advisory:
Inside the course of regular enterprise, Okta assist will ask clients to add an HTTP Archive (HAR) file, which permits for troubleshooting of points by replicating browser exercise. HAR information also can include delicate information, together with cookies and session tokens, that malicious actors can use to impersonate legitimate customers.
Okta has labored with impacted clients to research, and has taken measures to guard our clients, together with the revocation of embedded session tokens. Usually, Okta recommends sanitizing all credentials and cookies/session tokens inside a HAR file earlier than sharing it.
Bradbury stated the compromised Okta assist case administration system is separate from the manufacturing Okta service, which was not impacted and stays absolutely operational. He stated the Auth0/CIC case administration system was additionally not impacted by this incident.
Okta launched a listing of suspicious IP addresses (the bulk are business VPN nodes) and really helpful that clients search System Logs for any given suspicious session, consumer or IP.
In a separate alert, security agency BeyondTrust stated it was a goal of a cyberattack linked to this Okta assist system breach.
“The incident started when BeyondTrust security groups detected an attacker attempting to entry an in-house Okta administrator account utilizing a sound session cookie stolen from Okta’s assist system. Customized coverage controls blocked the attacker’s preliminary exercise, however limitations in Okta’s security mannequin allowed them to carry out a number of confined actions,” BeyondTrust stated.
Okta has discovered itself within the crosshairs of a number of hacking teams that focus on its infrastructure to interrupt into third-party organizations.
Simply final month, Okta stated a complicated hacking group focused IT service desk personnel in an effort to persuade them to reset multi-factor authentication (MFA) for high-privilege customers throughout the focused group.
In that assault, Okta stated hackers used new lateral motion and protection evasion strategies, nevertheless it has not shared any data on the menace actor itself or its final objective. It’s unclear if it’s associated, however final 12 months many Okta clients have been focused as a part of a financially motivated cybercrime marketing campaign named 0ktapus.