October 2023 Okta Compromise Guidance
In light of October 2023 Okta support compromise, Crosswire sent the following security advisory to our customers. To assist the community in recovering from the incident, we are sharing the advisory below.
Security Advisory — October 20th, 2023
In early September, an unknown threat actor group compromised Okta support system and continuously streamed HAR files (intercepts of HTTP requests) submitted by customers to the attacker. These files included API keys, Bearer tokens, and other long-term credentials.
Attackers harvested these credentials and accessed select sensitive customer accounts. The threat actors employed standard detection evasion techniques, including the usage of commercial proxies.
Once inside Okta environments, the threat actors impersonated users, exported sensitive information, and established long-term persistence. Okta was informed of this compromise on October 2nd and remedial steps were publicly taken on October 20th.
Our research team is continuously monitoring publicly available and private intelligence information for additional TTPs and IoCs. If we detect matches on any additional TTPs or IoCs related to this threat actor, you will receive a critical alert in Crosswire.
What can you do?
You (or someone with Okta super admin access) should perform the following actions today.
If you have an active Crosswire threat detection configuration, rest assured that you are protected — we have continuous monitoring in-place for these configuration changes.
- Check for third-party IdP federation configurations. Ensure each IdP is recognized, SAML certificates are intact (verify fingerprints), JWKS endpoint is correct, and user JIT creation settings are unmodified.
- Check for third-party IdP routing configurations. Ensure there is no modification to user inclusion groups, IP ranges, or device platforms.
- Check for any new account creations performed via Admin API or Console. If any new account is created, ensure there is proper change management documentation associated with them.
- Check for new API key issuance for both existing accounts and new accounts.
- Check delegated authentication settings. If you are not using on-premise Active Directory or LDAP server, this should remain off.
- Check for Okta support impersonation events in your event log. The event name is user.session.impersonation.initiate.
- Check for access from any of the following IoCs attached to this notice.
If there is any irregularities, we recommend immediately resetting all of your Okta admin credentials, terminate active sessions, and reach out to your Crosswire security team.
We are here to help. Please connect with your Crosswire representative if you need additional support on responding to this incident.
Okta October 2023 Indicator of Compromise (IoCs):
More from our blog
A comprehensive timeline and breakdown of the October 2023 Okta Support Case Management System breach.
The term Identity Threat Detection and Response (ITDR) has gained significant popularity this year, but what is ITDR, actually?
CISOs Chris Castaldo and Tanner Randolph share insights on security maturity and identity in the enterprise.
Whether this is your 1st or 21st time at Black Hat, these tips can help you weather a jam-packed and intense week.
False positives are a huge problem in security: see what Crosswire is doing to prevent them and mitigate their effects.
We've made the modern identity stack entirely too convoluted and broken, but not for the reasons you think.
How are you protecting your accounts before an incident can occur (or slowing an incident down before it really ramps up)?
This is Solution 2: Remediate of a two-part series on how to detect and remediate evolving identity threats.
This is Solution 1: Detect of a two-part series on how to detect and remediate evolving identity threats.
Explore the historical use, modern approaches, and future applications of AI in detection and response (D&R).
If you’re looking for the right time to join a high-risk, high-reward venture, we’d argue that there’s never been a better opportunity.
IT security audits can be a pain for everyone involved: check out our solutions to make this auditing season just a little bit easier.
RBAC lacks sophistication and flexibility, failing to address the access needs of the modern company.
Who owns identity at your org? Identity is (and should be treated as) a co-owned problem between security and IT.
Yep, you heard that right; we at Crosswire believe that your Okta groups should be as empty as possible.
Crosswire, and its co-founders Johnny and Nick, are building the future of enterprise identity in new and exciting ways.
The theme for 2023’s RSA Conference™ is “Stronger Together.” When info security is more important than ever, so is collaboration.
It’s no secret that your IT organization is crucial to your company. But are they getting all of the resources they need?
Why cybersecurity is more crucial than ever and what you can do to make your organization more secure, no matter your role.
Five significant ways to improve your workflows with automation and get more results than your resources permit.
Crosswire’s technical usability guide to Okta Lifecycle Management (LCM), from onboarding to offboarding.
Subscribe to our blog
Get Crosswire's security insights delivered straight to your inbox. No frills, no spams, unsubscribe anytime!