THE THREAT
On October 20th, 2023, Okta Security identified that a threat actor had utilized a set of stolen credentials to gain unauthorized access to their support case management system. The adversary was able to view files uploaded by certain Okta customers for recent support cases. It's important to note that this system is distinct from Okta's main production service, which remains unaffected. Additionally, the Auth0/Customer Identity Cloud (CIC) case management system is not involved in this breach.
During standard troubleshooting procedures, Okta support may request customers to provide an HTTP Archive (HAR) file. These files can sometimes contain sensitive data, such as cookies and session tokens, which attackers can exploit to impersonate legitimate users. While Okta has been proactive in assisting affected customers and has taken measures, like revoking embedded session tokens, they recommend that all credentials and cookies/session tokens within HAR files should be sanitized before sharing.
In addition, attacks in the wild have been reported publicly. One of which was 1Password, a trusted password management platform utilized by over 100,000 businesses, which disclosed that hackers had breached their system through their Okta ID management tenant.
What we’re doing about it
- eSentire was not notified by Okta as an impacted customer.
- The eSentire Threat Response Unit (TRU) has performed network sweeps and notified any impacted MDR for Network customers.
- eSentire has existing MDR for Log detections in place to detect abnormal Okta abuse. Additionally, TRU is actively tracking this event for additional details and detection opportunities where applicable data is present.
- ESentire's TRU has performed threat hunts related to the disclosed information in the recent notice provided by Okta.
- eSentire's CISO team has verified account controls and validated with our critical vendors, across our Third-Party Risk Management process, that they are also taking necessary steps to ensure their security.
- Our Threat Intelligence team is actively monitoring reports, regarding the incident, for further developments and detection opportunities.
What you should do about it
- After performing a business impact review, apply the relevant security mitigations provided by Okta, if their support center contacts you.
- Regularly monitor your environment for the provided Indicators of Compromise (please see list below).
- Be vigilant and monitor for any suspicious activities or unauthorized access attempts.
Additional information
The threat actor targeted Okta's support case management system, which is separate from the primary Okta service. HAR files, uploaded by customers for troubleshooting, can contain sensitive information, emphasizing the importance of sanitizing such files before sharing.
The indicators provided are primarily commercial VPN nodes. We recommend organizations check their logs for any interaction with the IPs and user agents provided below, especially if they seem out of place or infrequent in your environment.
Impacted System:
Okta Support Case Management System
Indicators of Compromise:
23.105.182[.]19 | IP |
104.251.211[.]122 | IP |
202.59.10[.]100 | IP |
162.210194[.]35 | IP |
198.16.66[.]124 | IP |
198.16.66[.]156 | IP |
198.16.70[.]28 | IP |
198.16.74[.]203 | IP |
198.16.74[.]204 | IP |
198.16.74[.]205 | IP |
198.98.49[.]203 | IP |
2.56.164[.]52 | IP |
207.244.71[.]82 | IP |
207.244.71[.]84 | IP |
207.244.89[.]161 | IP |
207.244.89[.]162 | IP |
23.106.249[.]52 | IP |
23.106.56[.]11 | IP |
23.106.56[.]21
23.106.56[.]36 | IP
IP |
23.106.56[.]37 | IP |
23.106.56[.]38 | IP |
23.106.56[.]54 | IP |
Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) | User-Agent |
Chrome/99.0.7113.93 Safari/537.36 | User-Agent |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 | User-Agent |
Chrome/99.0.4844.83 Safari/537.36 | User-Agent |
References:
[1] https://sec.okta.com/harfiles
[2] https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
[3] https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/
