Okta at the center of the scandal: new details of the hack

[Carding 4 Carders]

Okta, which provides identity tools such as multiple authentication and single sign-on for thousands of businesses, has experienced a security breach in its customer support department. According to information from KrebsOnSecurity, the incident affected a "very small number" of customers. However, it appears that the attackers had access to the Okta support platform for at least two weeks before the company completely eliminated the consequences of the intrusion.

In a tip sent to customers on October 19, Okta said it detected hostile activity using access to stolen credentials to log in to the Okta support call management system. The attacker was able to view files uploaded by some Okta clients as part of recent support calls.

When Okta solves problems with clients, it often asks for a web browser session record. These files are sensitive, as they include cookies and client session tokens, which violators can use to simulate real users.

BeyondTrust, one of Okta's clients, received a notification from Okta. Mark Maifret, chief technology officer of BeyondTrust, emphasized that the notification came more than two weeks after his company alerted Okta to a possible problem.

In an interview with KrebsOnSecurity, Okta's deputy chief information security officer Charlotte Wiley said that the company initially believed that the warning from BeyondTrust on October 2 was not the result of a breach in its systems. However, by October 17, the company identified and localized the incident.

The disclosure from Okta came shortly after Caesar's Entertainment and MGM Resorts casinos were hacked. In both cases, the attackers were able to convince employees to reset multiple login requirements for Okta administrator accounts.

In March 2022, Okta disclosed information about a security breach from the hacker group LAPSUS$. Wiley declined to answer questions about how long the intruder may have had access to the company's account or who may have been behind the attack. However, she said that the company believes that this is an opponent that they have encountered before.

Okta published a post about the incident that includes some "compromise indicators" that customers can use to find out if they have been affected. But the company stressed that "all affected customers have been notified."

BeyondTrust published a blog post about its findings.

 

[Carding 4 Carders]

Okta side effect: Is it worth worrying about the security of 1Password passwords?

Will there be any consequences of hacking an important Okta client?

The popular 1Password password manager detected suspicious activity in its Okta instance related to an incident in the customer support system. According to a representative of 1Password, user data was not affected. 1Password uses the services of Okta, the largest provider of security tools, to manage applications designed for employees.

1Password said that the company stopped malicious activity, conducted an investigation and made sure that "user data or other sensitive systems, including those for employees and for users, were not compromised."

The reason for the compromise was a violation in the Okta support system. In a public statement, Okta said hackers stole credentials to access customer support management systems and were able to view files uploaded by certain customers as part of recent customer support calls.

Note that during the attack, the attackers contacted Okta customer technical support services, posing as real employees of the company. An employee from the 1Password IT department, at the request of Okta support, provided the hacker with a HAR file made through Chrome Dev Tools and uploaded it to the Okta portal. The HAR file included all activity between the browser and Okta servers, including sensitive data such as session cookies.

On September 29, the cybercriminal used the same Okta session that was recorded in the HAR file to get into the Okta admin portal and tried to perform the following actions:

• I tried to log in to the control panel of an employee from the IT department. The attempt was blocked by Okta;
• Updated the existing IDP service associated with the 1Password work account in Google;
• Activated the IDP;
• Requested a list of administrators. After this action, the IT department employee received a warning email, which caused immediate intervention.

Note that this is not the first major cyber incident in Okta systems. In September, hackers gained superadministrator privileges in Okta's systems through a social engineering attack on support specialists. In addition, in December 2022, cybercriminals hacked into the Octa repositories on GitHub and stole the source code.