Attackers managed to breach identification and entry administration firm Okta’s assist system utilizing stolen credentials and extracted legitimate buyer session tokens from uploaded assist information, in line with a report by the agency.
The sturdy multifactor authentication (MFA) insurance policies enforced by one of many firm’s impacted clients allowed it to detect the unauthorized entry, block it, and report the breach to Okta.
“Throughout the course of regular enterprise, Okta assist will ask clients to add an HTTP Archive (HAR) file, which permits for troubleshooting of points by replicating browser exercise,” David Bradbury, Okta’s chief security officer, stated in a weblog submit. “HAR information also can include delicate information, together with cookies and session tokens, that malicious actors can use to impersonate legitimate customers.”
The incident was uncovered by security engineers from BeyondTrust, an identification and entry security options supplier, whose in-house Okta administrator account was hijacked. Coverage controls put in place by the corporate’s security staff blocked a suspicious authentication try from an IP deal with in Malaysia.
The attacker was prompted for MFA authentication
BeyondTrust’s coverage within the Okta surroundings was to solely permit entry to the Okta admin console from managed units on which had been put in Okta Confirm, a multifactor authentication software developed by Okta. Due to this coverage, the attacker was prompted for MFA authentication after they tried to entry the admin console, although the token they stole supplied them with a sound session.
“It is crucial for Okta clients to reinforce security insurance policies by settings similar to prompting admin customers for MFA at each sign-in,” the BeyondTrust security staff stated in an advisory. “Whereas this was inside an current session the attacker hijacked, Okta nonetheless views dashboard entry as a brand new sign-in and prompts for MFA.”
