Breaking Down the October 2023 Okta Breach

Hannah Young
Hannah Young
.
October 26, 2023
7 min
 read

Last Friday, October 20th, Okta publicly announced that their support case management system (separate from the main Okta service) had been breached. But when did this breach actually start?

Timeline of Breach and Announcement

In early September, an unidentified threat actor gained access to Okta’s support system and started to continuously stream HAR files (recordings of customer's HTTP requests) to attackers. These files contained sensitive information in plain text like API keys, bearer tokens, and other long-term credentials.

In Okta’s breach announcement, Okta’s Chief Security Officer (CSO), David Bradbury, explained that “within the course of normal business, Okta support will ask customers to upload an HTTP Archive (HAR) file, which allows for troubleshooting of issues by replicating browser activity. HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users.”

Once attackers had harvested these credentials and accessed select sensitive customer accounts, they impersonated users, exported sensitive information, and established long-term persistence by employing standard detection evasion techniques like the use of commercial proxies.

On September 29, 2023, 1Password discovered suspicious activity on their Okta instance used to manage employee-facing apps. They then started collaborating with Okta to identify the initial vector of compromise, which was later confirmed to be the Okta Support System breach.

On October 2, 2023, the security team at BeyondTrust recorded an unauthorized login attempt to an internal Okta administrator account using a stolen cookie from Okta's support system. According to BeyondTrust, the timeline of events is as follows:

  • October 2, 2023 – Detected and remediated identity centric attack on an in-house Okta administrator account and alerted Okta
  • October 3, 2023 – Asked Okta support to escalate to Okta security team given initial forensics pointing to a compromise within Okta support organization
  • October 11, 2023 and October 13, 2023 – Held Zoom sessions with Okta security team to explain why [BeyondTrust] believed they might be compromised
  • October 19, 2023 – Okta security leadership confirmed they had an internal breach, and BeyondTrust was one of their affected customers.

Aftermath and How to Secure Your Organization

In the week following Okta’s public announcement of the compromise, multiple security enterprises, including Cloudflare and 1Password, have reported malicious activity in their environments linked to the breach. Okta has noted that “all customers who were impacted by this have been notified” and that, in the future, they “recommend sanitizing all credentials and cookies/session tokens within a HAR file before sharing it” (like Cloudflare’s HAR sanitizer tool they’ve created in response to this breach).

In addition to this advice, Okta also posted the following Indicators of Compromise (IOCs):

IP Addresses

23.105.182.19
104.251.211.122
202.59.10.100
162.210.194.35
198.16.66.124
198.16.66.156
198.16.70.28
198.16.74.203
198.16.74.204
198.16.74.205
198.98.49.203
2.56.164.52
207.244.71.82
207.244.71.84
207.244.89.161
207.244.89.162
23.106.249.52
23.106.56.11
23.106.56.21
23.106.56.36
23.106.56.37
23.106.56.38
23.106.56.54

User-Agents

While the following user-agents are legitimate, they may be rare in your environment given the release of Chrome 99 in March 2022:

Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36 (Legitimate, but older user-agent)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.83 Safari/537.36 (Legitimate, but older user-agent)

Crosswire Context: This is not the first time Okta has been breached in recent years. In January 2022, the LAPSUS$ data extortion group gained access to Okta's administrative consoles and compromised approximately 2.5% of Okta’s customer data. In August 2022, the Scatter Swine threat group breached 163 Twilio customers, including Okta. Scatter Swine was then able to steal one-time passwords (OTPs) sent to Okta customers via SMS and takeover various Okta customer accounts.

Crosswire logo and "Crosswire" written over a cyan, blue, white, pink, and orange gradient background

If you have an active Crosswire threat detection configuration, rest assured that you are protected — we have continuous monitoring in place for these configuration changes.

If you do not, you (or someone with Okta super admin access) should perform the following checks today (as we reported in our October 20th Security Advisory):

  • Check for access events from any of the IOCs listed above.
  • Check for any third-party IdP federation configurations and ensure that each IdP is recognized, SAML certificates are intact (i.e., verify fingerprints), JWKS endpoint is correct, and that user JIT creation settings are unmodified.
  • Check your third-party IdP routing configurations and ensure that there haven’t been any modifications to user inclusion groups, IP ranges, or device platforms.
  • Check for any new account creations performed via Admin API or Console. If you discover a new account, ensure that there’s proper change management documentation associated with it.
  • Check for any new API key issuance for both existing and new accounts.
  • Check your “Delegated Authentication” settings. If you are not using an on-premise Active Directory or LDAP server, this should remain off.
  • Check for Okta support impersonation events in your event log. The event name is: user.session.impersonation.initiate.

If there are any irregularities, we recommend immediately resetting all of your Okta admin credentials, terminating active sessions, and reaching out to your Crosswire security team for further guidance if you are a Crosswire customer.

Our research team is continuously monitoring publicly available and private intelligence information for additional TTPs and IOCs. If we detect any TTPs/IoCs related to this threat actor in your environment, you will receive a critical alert within Crosswire.‍

This breach is an unfortunate reminder that IdPs are IT, not security, tools; the security measures built into IdPs have proven to be insufficient for some time now. To effectively safeguard your organization against identity threats, you need solutions (like ITDR) that have multiple systems in place to notify you of IOCs of this kind within your org in under an hour.

We are here to help. Please connect with your Crosswire representative if you need additional support in responding to this incident and stay up to date on the latest security news by subscribing to our blog below.

More from our blog

Identity Governance Best Practices for Security Leaders

Explore essential identity governance best practices for security leaders, ensuring robust security frameworks and compliance adherence. Learn more today.

Johnny Wang
.
4 min
 read
UPDATE: Customer Impact in the Okta Salesforce Breach

An update on Crosswire and the September 2023 breach of Okta’s Salesforce instance.

Crosswire Security Team
.
1 min
 read
October 2023 Okta Compromise Guidance

In light of October 2023 Okta support compromise, Crosswire sent the following message to its customers.

Crosswire Security Team
.
5 min
 read
What is ITDR?

The term Identity Threat Detection and Response (ITDR) has gained significant popularity this year, but what is ITDR, actually?

Hannah Young
.
5 min
 read
CISOs on Identity Security Maturity in the Enterprise

CISOs Chris Castaldo and Tanner Randolph share insights on security maturity and identity in the enterprise.

Hannah Young
.
5 min
 read
Black Hat Guide for Conference Veterans

Whether this is your 1st or 21st time at Black Hat, these tips can help you weather a jam-packed and intense week.

Hannah Young
.
10 min
 read
You Should Feel ‘Positively’ About Your Security Tools: How We’re Mitigating False Positives in Identity Security

False positives are a huge problem in security: see what Crosswire is doing to prevent them and mitigate their effects.

Hannah Young
.
5 min
 read
Decoding the (Broken) Modern Identity Stack

We've made the modern identity stack entirely too convoluted and broken, but not for the reasons you think.

Hannah Young
.
10 min
 read
The Secret Third Step to Threat Detection and Response: Protection

How are you protecting your accounts before an incident can occur (or slowing an incident down before it really ramps up)?

Hannah Young
.
6 min
 read
How to Detect and Remediate Identity Threats; Solution 2: Remediate

This is Solution 2: Remediate of a two-part series on how to detect and remediate evolving identity threats.

Hannah Young
.
5 min
 read
How to Detect and Remediate Identity Threats; Solution 1: Detect

This is Solution 1: Detect of a two-part series on how to detect and remediate evolving identity threats.

Hannah Young
.
5 min
 read
AI D&R: AI (in Security) is Dead; Long Live AI (in Security)

Explore the historical use, modern approaches, and future applications of AI in detection and response (D&R).

Hannah Young
.
8 min
 read
Quick RSAC 2023 Recap: We’re Back (and Stronger Together)

From Armisen to AI/ML, catch up on what you missed from RSA Conference 2023 with Crosswire!

Hannah Young
.
4 min
 read
Defending Against Threats in Identity Security; Part 2: Remediate

This is Part 2: Remediate of a two-part series setting up emerging problems in identity security.

Hannah Young
.
6 min
 read
Why Now’s the Perfect Time to Join an Early-Stage Startup

If you’re looking for the right time to join a high-risk, high-reward venture, we’d argue that there’s never been a better opportunity.

Hannah Young
.
3 min
 read
It’s Not Just You: IT Security Audits are Stressful

IT security audits can be a pain for everyone involved: check out our solutions to make this auditing season just a little bit easier.

Hannah Young
.
5 min
 read
Why RBAC is obsolete

RBAC lacks sophistication and flexibility, failing to address the access needs of the modern company.

Hannah Young
.
3 min
 read
Defending Against Threats in Identity Security; Part 1: Detect

This is Part 1: Detect of a two-part series setting up emerging problems in identity security.

Hannah Young
.
5 min
 read
Identity Is a Co-owned Problem Between Security and IT

Who owns identity at your org? Identity is (and should be treated as) a co-owned problem between security and IT.

Hannah Young
.
5 min
 read
Your Okta Groups Should Be (Mostly) Empty

Yep, you heard that right; we at Crosswire believe that your Okta groups should be as empty as possible.

Hannah Young
.
2 min
 read
The Founding of Crosswire as Told by Its Values

Crosswire, and its co-founders Johnny and Nick, are building the future of enterprise identity in new and exciting ways.

Hannah Young
.
7 min
 read
RSA Conference™ 2023: Stronger Together

The theme for 2023’s RSA Conference™ is “Stronger Together.” When info security is more important than ever, so is collaboration.

Hannah Young
.
6 min
 read
6 Early Warning Signs of an Under-Resourced IT Organization

It’s no secret that your IT organization is crucial to your company. But are they getting all of the resources they need?

Hannah Young
.
5 min
 read
Cybersecurity Is More Critical Than Ever, and You (Yes, You) Can Do Something About It Now

Why cybersecurity is more crucial than ever and what you can do to make your organization more secure, no matter your role.

Hannah Young
.
7 min
 read
Understanding Automation: How To Do More Than You Have the Resources For

Five significant ways to improve your workflows with automation and get more results than your resources permit.

Hannah Young
.
5 min
 read
Google Workplace Organizational Units (OUs) according to Parks and Rec

What are Google Workplace Organizational Units, and how do they work (according to Parks and Rec)?

Hannah Young
.
5 min
 read
Practical Survival Guide to Okta Lifecycle Management

Crosswire’s technical usability guide to Okta Lifecycle Management (LCM), from onboarding to offboarding.

Hannah Young
.
6 min
 read
Authorization (AuthZ) and Authentication (AuthN): A Brief History

Authentication is who you are, and authorization is what you can do. Here, we dive into the history of these terms.

Hannah Young
.
5 min
 read