Last Friday, October 20th, Okta publicly announced that their support case management system (separate from the main Okta service) had been breached. But when did this breach actually start?

Timeline of Breach and Announcement

In early September, an unidentified threat actor gained access to Okta’s support system and started to continuously stream HAR files (recordings of customer's HTTP requests) to attackers. These files contained sensitive information in plain text like API keys, bearer tokens, and other long-term credentials.

In Okta’s breach announcement, Okta’s Chief Security Officer (CSO), David Bradbury, explained that “within the course of normal business, Okta support will ask customers to upload an HTTP Archive (HAR) file, which allows for troubleshooting of issues by replicating browser activity. HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users.”

Once attackers had harvested these credentials and accessed select sensitive customer accounts, they impersonated users, exported sensitive information, and established long-term persistence by employing standard detection evasion techniques like the use of commercial proxies.

On September 29, 2023, 1Password discovered suspicious activity on their Okta instance used to manage employee-facing apps. They then started collaborating with Okta to identify the initial vector of compromise, which was later confirmed to be the Okta Support System breach.

On October 2, 2023, the security team at BeyondTrust recorded an unauthorized login attempt to an internal Okta administrator account using a stolen cookie from Okta's support system. According to BeyondTrust, the timeline of events is as follows:

• October 2, 2023 – Detected and remediated identity centric attack on an in-house Okta administrator account and alerted Okta
• October 3, 2023 – Asked Okta support to escalate to Okta security team given initial forensics pointing to a compromise within Okta support organization
• October 11, 2023 and October 13, 2023 – Held Zoom sessions with Okta security team to explain why [BeyondTrust] believed they might be compromised
• October 19, 2023 – Okta security leadership confirmed they had an internal breach, and BeyondTrust was one of their affected customers.

Aftermath and How to Secure Your Organization

In the week following Okta’s public announcement of the compromise, multiple security enterprises, including Cloudflare and 1Password, have reported malicious activity in their environments linked to the breach. Okta has noted that “all customers who were impacted by this have been notified” and that, in the future, they “recommend sanitizing all credentials and cookies/session tokens within a HAR file before sharing it” (like Cloudflare’s HAR sanitizer tool they’ve created in response to this breach).

In addition to this advice, Okta also posted the following Indicators of Compromise (IOCs):‍

IP Addresses

23.105.182.19
104.251.211.122
202.59.10.100
162.210.194.35
198.16.66.124
198.16.66.156
198.16.70.28
198.16.74.203
198.16.74.204
198.16.74.205
198.98.49.203
2.56.164.52
207.244.71.82
207.244.71.84
207.244.89.161
207.244.89.162
23.106.249.52
23.106.56.11
23.106.56.21
23.106.56.36
23.106.56.37
23.106.56.38
23.106.56.54‍

User-Agents‍

While the following user-agents are legitimate, they may be rare in your environment given the release of Chrome 99 in March 2022:

Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36 (Legitimate, but older user-agent)

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.83 Safari/537.36 (Legitimate, but older user-agent)

Crosswire Context: This is not the first time Okta has been breached in recent years. In January 2022, the LAPSUS$ data extortion group gained access to Okta's administrative consoles and compromised approximately 2.5% of Okta’s customer data. In August 2022, the Scatter Swine threat group breached 163 Twilio customers, including Okta. Scatter Swine was then able to steal one-time passwords (OTPs) sent to Okta customers via SMS and takeover various Okta customer accounts.

If you have an active Crosswire threat detection configuration, rest assured that you are protected — we have continuous monitoring in place for these configuration changes.

If you do not, you (or someone with Okta super admin access) should perform the following checks today (as we reported in our October 20th Security Advisory):

• Check for access events from any of the IOCs listed above.
• Check for any third-party IdP federation configurations and ensure that each IdP is recognized, SAML certificates are intact (i.e., verify fingerprints), JWKS endpoint is correct, and that user JIT creation settings are unmodified.
• Check your third-party IdP routing configurations and ensure that there haven’t been any modifications to user inclusion groups, IP ranges, or device platforms.
• Check for any new account creations performed via Admin API or Console. If you discover a new account, ensure that there’s proper change management documentation associated with it.
• Check for any new API key issuance for both existing and new accounts.
• Check your “Delegated Authentication” settings. If you are not using an on-premise Active Directory or LDAP server, this should remain off.
• Check for Okta support impersonation events in your event log. The event name is: user.session.impersonation.initiate.

If there are any irregularities, we recommend immediately resetting all of your Okta admin credentials, terminating active sessions, and reaching out to your Crosswire security team for further guidance if you are a Crosswire customer.

Our research team is continuously monitoring publicly available and private intelligence information for additional TTPs and IOCs. If we detect any TTPs/IoCs related to this threat actor in your environment, you will receive a critical alert within Crosswire.‍

This breach is an unfortunate reminder that IdPs are IT, not security, tools; the security measures built into IdPs have proven to be insufficient for some time now. To effectively safeguard your organization against identity threats, you need solutions (like ITDR) that have multiple systems in place to notify you of IOCs of this kind within your org in under an hour.

We are here to help. Please connect with your Crosswire representative if you need additional support in responding to this incident and stay up to date on the latest security news by subscribing to our blog below.