Breaking Down the October 2023 Okta Breach
Last Friday, October 20th, Okta publicly announced that their support case management system (separate from the main Okta service) had been breached. But when did this breach actually start?
Timeline of Breach and Announcement
In early September, an unidentified threat actor gained access to Okta’s support system and started to continuously stream HAR files (recordings of customer's HTTP requests) to attackers. These files contained sensitive information in plain text like API keys, bearer tokens, and other long-term credentials.
In Okta’s breach announcement, Okta’s Chief Security Officer (CSO), David Bradbury, explained that “within the course of normal business, Okta support will ask customers to upload an HTTP Archive (HAR) file, which allows for troubleshooting of issues by replicating browser activity. HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users.”
Once attackers had harvested these credentials and accessed select sensitive customer accounts, they impersonated users, exported sensitive information, and established long-term persistence by employing standard detection evasion techniques like the use of commercial proxies.
On September 29, 2023, 1Password discovered suspicious activity on their Okta instance used to manage employee-facing apps. They then started collaborating with Okta to identify the initial vector of compromise, which was later confirmed to be the Okta Support System breach.
On October 2, 2023, the security team at BeyondTrust recorded an unauthorized login attempt to an internal Okta administrator account using a stolen cookie from Okta's support system. According to BeyondTrust, the timeline of events is as follows:
- October 2, 2023 – Detected and remediated identity centric attack on an in-house Okta administrator account and alerted Okta
- October 3, 2023 – Asked Okta support to escalate to Okta security team given initial forensics pointing to a compromise within Okta support organization
- October 11, 2023 and October 13, 2023 – Held Zoom sessions with Okta security team to explain why [BeyondTrust] believed they might be compromised
- October 19, 2023 – Okta security leadership confirmed they had an internal breach, and BeyondTrust was one of their affected customers.
Aftermath and How to Secure Your Organization
In the week following Okta’s public announcement of the compromise, multiple security enterprises, including Cloudflare and 1Password, have reported malicious activity in their environments linked to the breach. Okta has noted that “all customers who were impacted by this have been notified” and that, in the future, they “recommend sanitizing all credentials and cookies/session tokens within a HAR file before sharing it” (like Cloudflare’s HAR sanitizer tool they’ve created in response to this breach).
In addition to this advice, Okta also posted the following Indicators of Compromise (IOCs):
While the following user-agents are legitimate, they may be rare in your environment given the release of Chrome 99 in March 2022:
Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36 (Legitimate, but older user-agent)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.83 Safari/537.36 (Legitimate, but older user-agent)
Crosswire Context: This is not the first time Okta has been breached in recent years. In January 2022, the LAPSUS$ data extortion group gained access to Okta's administrative consoles and compromised approximately 2.5% of Okta’s customer data. In August 2022, the Scatter Swine threat group breached 163 Twilio customers, including Okta. Scatter Swine was then able to steal one-time passwords (OTPs) sent to Okta customers via SMS and takeover various Okta customer accounts.
If you have an active Crosswire threat detection configuration, rest assured that you are protected — we have continuous monitoring in place for these configuration changes.
If you do not, you (or someone with Okta super admin access) should perform the following checks today (as we reported in our October 20th Security Advisory):
- Check for access events from any of the IOCs listed above.
- Check for any third-party IdP federation configurations and ensure that each IdP is recognized, SAML certificates are intact (i.e., verify fingerprints), JWKS endpoint is correct, and that user JIT creation settings are unmodified.
- Check your third-party IdP routing configurations and ensure that there haven’t been any modifications to user inclusion groups, IP ranges, or device platforms.
- Check for any new account creations performed via Admin API or Console. If you discover a new account, ensure that there’s proper change management documentation associated with it.
- Check for any new API key issuance for both existing and new accounts.
- Check your “Delegated Authentication” settings. If you are not using an on-premise Active Directory or LDAP server, this should remain off.
- Check for Okta support impersonation events in your event log. The event name is: user.session.impersonation.initiate.
If there are any irregularities, we recommend immediately resetting all of your Okta admin credentials, terminating active sessions, and reaching out to your Crosswire security team for further guidance if you are a Crosswire customer.
Our research team is continuously monitoring publicly available and private intelligence information for additional TTPs and IOCs. If we detect any TTPs/IoCs related to this threat actor in your environment, you will receive a critical alert within Crosswire.
This breach is an unfortunate reminder that IdPs are IT, not security, tools; the security measures built into IdPs have proven to be insufficient for some time now. To effectively safeguard your organization against identity threats, you need solutions (like ITDR) that have multiple systems in place to notify you of IOCs of this kind within your org in under an hour.
We are here to help. Please connect with your Crosswire representative if you need additional support in responding to this incident and stay up to date on the latest security news by subscribing to our blog below.
More from our blog
In light of October 2023 Okta support compromise, Crosswire sent the following message to its customers.
The term Identity Threat Detection and Response (ITDR) has gained significant popularity this year, but what is ITDR, actually?
CISOs Chris Castaldo and Tanner Randolph share insights on security maturity and identity in the enterprise.
Whether this is your 1st or 21st time at Black Hat, these tips can help you weather a jam-packed and intense week.
False positives are a huge problem in security: see what Crosswire is doing to prevent them and mitigate their effects.
We've made the modern identity stack entirely too convoluted and broken, but not for the reasons you think.
How are you protecting your accounts before an incident can occur (or slowing an incident down before it really ramps up)?
This is Solution 2: Remediate of a two-part series on how to detect and remediate evolving identity threats.
This is Solution 1: Detect of a two-part series on how to detect and remediate evolving identity threats.
Explore the historical use, modern approaches, and future applications of AI in detection and response (D&R).
If you’re looking for the right time to join a high-risk, high-reward venture, we’d argue that there’s never been a better opportunity.
IT security audits can be a pain for everyone involved: check out our solutions to make this auditing season just a little bit easier.
RBAC lacks sophistication and flexibility, failing to address the access needs of the modern company.
Who owns identity at your org? Identity is (and should be treated as) a co-owned problem between security and IT.
Yep, you heard that right; we at Crosswire believe that your Okta groups should be as empty as possible.
Crosswire, and its co-founders Johnny and Nick, are building the future of enterprise identity in new and exciting ways.
The theme for 2023’s RSA Conference™ is “Stronger Together.” When info security is more important than ever, so is collaboration.
It’s no secret that your IT organization is crucial to your company. But are they getting all of the resources they need?
Why cybersecurity is more crucial than ever and what you can do to make your organization more secure, no matter your role.
Five significant ways to improve your workflows with automation and get more results than your resources permit.
Crosswire’s technical usability guide to Okta Lifecycle Management (LCM), from onboarding to offboarding.
Subscribe to our blog
Get Crosswire's security insights delivered straight to your inbox. No frills, no spams, unsubscribe anytime!