Okta is blaming the latest hack of its assist system on an worker who logged into a private Google account on a company-managed laptop computer, exposing credentials that led to the theft of information from a number of Okta prospects.
A short autopsy from Okta security chief David Bradbury stated the interior lapse was the “probably avenue” for the breach that ensnared a whole lot of Okta prospects, together with cybersecurity corporations BeyondTrust and Cloudflare.
“We will verify that from September 28, 2023 to October 17, 2023, a menace actor gained unauthorized entry to recordsdata inside Okta’s buyer assist system related to 134 Okta prospects, or lower than 1% of Okta prospects. A few of these recordsdata had been HAR recordsdata that contained session tokens which may in flip be used for session hijacking assaults,” Bradbury stated in a word that incorporates an in depth timeline of the incident.
He stated the menace actor was in a position to make use of these session tokens to hijack the authentic Okta periods of 5 prospects.
Bradbury stated the hackers leveraged a service account saved within the system itself that was granted permissions to view and replace buyer assist instances.
“Throughout our investigation into suspicious use of this account, Okta Safety recognized that an worker had signed-in to their private Google profile on the Chrome browser of their Okta-managed laptop computer. The username and password of the service account had been saved into the worker’s private Google account,” he stated.
“The probably avenue for publicity of this credential is the compromise of the worker’s private Google account or private system.”
Bradbury fessed as much as a failure of inside controls to identify the breach. “For a interval of 14 days, whereas actively investigating, Okta didn’t determine suspicious downloads in our logs. When a person opens and views recordsdata hooked up to a assist case, a particular log occasion sort and ID is generated tied to that file. If a person as an alternative navigates on to the Recordsdata tab within the buyer assist system, because the menace actor did on this assault, they’ll as an alternative generate a wholly completely different log occasion with a distinct file ID.”
The Okta chief security officer stated his crew’s preliminary investigations centered on entry to assist instances and later made a serious breakthrough after BeyondTrust shared a suspicious IP deal with attributed to the menace actor.
“With this indicator, we recognized the extra file entry occasions related to the compromised account,” Bradbury defined.
Okta has discovered itself within the crosshairs of a number of hacking teams that concentrate on its infrastructure to interrupt into third-party organizations.
In September, Okta stated a classy hacking group focused IT service desk personnel in an effort to persuade them to reset multi-factor authentication (MFA) for high-privilege customers inside the focused group.
In that assault, Okta stated hackers used new lateral motion and protection evasion strategies, however it has not shared any info on the menace actor itself or its final objective. It’s unclear if it’s associated, however final yr many Okta prospects had been focused as a part of a financially motivated cybercrime marketing campaign named 0ktapus.