In light of October 2023 Okta support compromise, Crosswire sent the following security advisory to our customers. To assist the community in recovering from the incident, we are sharing the advisory below.

Security Advisory — October 20th, 2023

What happened?

In early September, an unknown threat actor group compromised Okta support system and continuously streamed HAR files (intercepts of HTTP requests) submitted by customers to the attacker. These files included API keys, Bearer tokens, and other long-term credentials.

Attackers harvested these credentials and accessed select sensitive customer accounts. The threat actors employed standard detection evasion techniques, including the usage of commercial proxies.

Once inside Okta environments, the threat actors impersonated users, exported sensitive information, and established long-term persistence. Okta was informed of this compromise on October 2nd and remedial steps were publicly taken on October 20th.

Our research team is continuously monitoring publicly available and private intelligence information for additional TTPs and IoCs. If we detect matches on any additional TTPs or IoCs related to this threat actor, you will receive a critical alert in Crosswire.

What can you do?

You (or someone with Okta super admin access) should perform the following actions today.

If you have an active Crosswire threat detection configuration, rest assured that you are protected — we have continuous monitoring in-place for these configuration changes.

• Check for third-party IdP federation configurations. Ensure each IdP is recognized, SAML certificates are intact (verify fingerprints), JWKS endpoint is correct, and user JIT creation settings are unmodified.
• Check for third-party IdP routing configurations. Ensure there is no modification to user inclusion groups, IP ranges, or device platforms.
• Check for any new account creations performed via Admin API or Console. If any new account is created, ensure there is proper change management documentation associated with them.
• Check for new API key issuance for both existing accounts and new accounts.
• Check delegated authentication settings. If you are not using on-premise Active Directory or LDAP server, this should remain off.
• Check for Okta support impersonation events in your event log. The event name is user.session.impersonation.initiate.
• Check for access from any of the following IoCs attached to this notice.

If there is any irregularities, we recommend immediately resetting all of your Okta admin credentials, terminate active sessions, and reach out to your Crosswire security team.

We are here to help. Please connect with your Crosswire representative if you need additional support on responding to this incident.

Okta October 2023 Indicator of Compromise (IoCs):

23.105.182.19
104.251.211.122
202.59.10.100
162.210.194.35
198.16.66.124
198.16.66.156
198.16.70.28
198.16.74.203
198.16.74.204
198.16.74.205
198.98.49.203
2.56.164.52
207.244.71.82
207.244.71.84
207.244.89.161
207.244.89.162
23.106.249.52
23.106.56.11
23.106.56.21
23.106.56.36
23.106.56.37
23.106.56.38
23.106.56.54