Archive for Okta

Remember The Okta Hack Where They Explained It Only Impacted 1% Of Customers? It Was Actually 100% Of Customers.

Posted in Commentary with tags on November 29, 2023 by itnerd

Okta has released a new statement in relation to that hack that they had a while ago. At the time, they said it only affected 1% of customers. Well, that statement that I referred to one sentence ago says something different:

We have determined that the threat actor ran and downloaded a report that contained the names and email addresses of all Okta customer support system users. All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor). The Auth0/CIC support case management system was also not impacted by this incident. 

The threat actor ran a report on September 28, 2023 at 15:06 UTC that contained the following fields for each user in Okta’s customer support system: 

Created DateLast LoginFull NameUsernameEmail
Company NameUser TypeAddress[Date of] Last Password Change or ResetRole: Name
Role: DescriptionPhoneMobileTime ZoneSAML Federation ID

The majority of the fields in the report are blank and the report does not include user credentials or sensitive personal data. For 99.6% of users in the report, the only contact information recorded is full name and email address. 

Okta has around 18,000 customers according to the company’s website. So that’s a major problem for Okta. And an equally major problem for any Okta customer. And the fact that there’s no credentials in this report that the threat actors ran is irrelevant. A threat actor could still use this information to launch phishing attacks against any Okta customer to pwn them. Even if only 1% of those customers get pwned via a phishing attack or some other attack, it’s 1% too many.

Now to be fair, Okta does suggest the following mitigations be implemented ASAP:

We recommend all customers immediately take the following actions to defend against potential attacks that target their Okta administrators.  

  • Multi-Factor Authentication (MFA): We strongly recommend all Okta customers secure admin access using MFA at a minimum. We also strongly encourage customers to enroll administrative users in phishing resistant authenticators (such as Okta Verify FastPass, FIDO2 WebAuthn, or PIV/CAC Smart Cards) and to enforce phishing resistance for access to all administrative applications. Please refer to product documentation to enable MFA for the admin console (Classic or OIE).
  • Admin Session Binding: As communicated in the Security Incident RCA, customers can now enable an Early Access feature in Okta that requires admins to reauthenticate if their session is reused from an IP address with a different ASN (Autonomous System Number). Okta strongly recommends customers enable this feature to further secure admin sessions.
  • Admin Session Timeout: To align with NIST AAL3 guidelines and increase the security posture of every customer, Okta is introducing Admin Console timeouts that will be set to a default of 12-hour session duration and a 15-minute idle time. Customers will have the option to edit these settings. This will be available as an Early Access feature starting November 29th for preview orgs and December 4th for production orgs. The feature will be available for all production orgs by January 8th, 2024. An email was sent to all Super Admins regarding this change on November 27th, and a copy of that communication can be found in the Knowledge Base article: Admin Session Lifetime/Idle Timeout Security Enhancements.
  • Phishing Awareness: In addition, Okta customers should be vigilant of phishing attempts that target their employees and especially wary of social engineering attempts that target their IT Help Desks and related service providers. We recommend Okta customers implement our industry-leading, phishing-resistant methods for enrollment, authentication, and recovery. Please see Okta Solutions for Phishing Resistance for more information on protecting your organization from phishing. We also strongly recommend that customers review their IT Help Desk verification processes and ensure that appropriate checks, such as visual verification, are performed before performing high risk actions such as password or factor resets on privileged accounts.

While all of this is good advice, it doesn’t change the fact that this event really reflects poorly on Okta and I am not sure how any Okta customer could ever trust the company again. Which means that Okta really has to explain why customers should trust them going forward. And they need to do it fast.

Leave a comment »

You Won’t Believe How Okta Got Pwned

Posted in Commentary with tags , on November 5, 2023 by itnerd

You might recall that Okta’s support systems were pwned by hackers. That led to Okta customers getting pwned shortly thereafter. Well, you won’t believe how Okta got pwned. Here’s the details:

The unauthorized access to Okta’s customer support system leveraged a service account stored in the system itself. This service account was granted permissions to view and update customer support cases. During our investigation into suspicious use of this account, Okta Security identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop. The username and password of the service account had been saved into the employee’s personal Google account. The most likely avenue for exposure of this credential is the compromise of the employee’s personal Google account or personal device. 

That’s not good from a specific point of view. More on that in a second. Anurag Gurtu, Chief Product Officer at StrikeReady had this to say:

“The recent security breach at Okta serves as a stark reminder of the potential vulnerabilities that can arise from seemingly innocuous practices, like using personal accounts on company devices. This incident underscores the critical need for organizations to reinforce their cybersecurity policies and ensure that employees are fully aware of the risks associated with mixing personal and professional digital activities.

It’s also a call to action for companies to continuously monitor and manage access privileges, and to deploy multi-layered security measures that can detect and mitigate unauthorized access promptly. Effective cybersecurity is not just about having the right tools; it’s about instilling the right discipline and awareness at every level of the organization. As we assist our clients in navigating their cybersecurity landscape, incidents like these are invaluable learning opportunities to fortify their defenses and prepare for the inevitability of human error.”

Okta said the breach impacted 134 customers, representing less than 1% of all their customers. Not that it matters because one customer who was affected by this is one too many. But to me, it really feels that Okta is throwing the employee under the bus here for having a support system that was clearly vulnerable to attack. Honestly, I think Okta needs to do better here for themselves, and more importantly their customers.

Leave a comment »

Okta Gets Pwned…. And The Downstream Effects Of That Are Starting To Be Felt

Posted in Commentary with tags , on October 24, 2023 by itnerd

On Friday, Okta disclosed a hack of its support systems.Here’s what Okta had to say about that:

The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases. It should be noted that the Okta support case management system is separate from the production Okta service, which is fully operational and has not been impacted. In addition, the Auth0/CIC case management system is not impacted by this incident.

Note: All customers who were impacted by this have been notified. If you’re an Okta customer and you have not been contacted with another message or method, there is no impact to your Okta environment or your support tickets.

Now Okta has had a rough time of it lately as its products have been implicated in a number of high profile hacks. That would include a spate of intrusions at casinos that crippled Las Vegas hotel rooms for days. The MGM hack is an example of this along with the Caesar’s hack. But the hack of Okta itself has had significant downstream effects. 1Password it turns out was affected by this hack:

On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps. We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing.

Since then, we’ve been working with Okta to determine the initial vector of compromise. As of late Friday, October 20, we’ve confirmed that this was a result of Okta’s Support System breach.

See our internal Okta Incident Report for additional details.

Cloudflare was also affected by this hack:

On Wednesday, October 18, 2023, we discovered attacks on our system that we were able to trace back to Okta – threat actors were able to leverage an authentication token compromised at Okta to pivot into Cloudflare’s Okta instance. While this was a troubling security incident, our Security Incident Response Team’s (SIRT) real-time detection and prompt response enabled containment and minimized the impact to Cloudflare systems and data. We have verified that no Cloudflare customer information or systems were impacted by this event because of our rapid response. Okta has now released a public statement about this incident.

This is the second time Cloudflare has been impacted by a breach of Okta’s systems. In March 2022, we blogged about our investigation on how a breach of Okta affected Cloudflare. In that incident, we concluded that there was no access from the threat actor to any of our systems or data – Cloudflare’s use of hard keys for multi-factor authentication stopped this attack.  

Ken Westin, Field CISO, Panther Labs had this to say:

Okta is a prime target for attackers and by compromising their systems, they seek to gain access to their customer’s infrastructure and data. The pivot to 1Password should be a wake-up call for organizations to ensure they are monitoring Okta logs, as well as other identity and password applications.

Clearly Okta needs to do some work here as it’s bad enough that Okta gets hacked. It’s worse that its customers are also affected by said hack. Thus Okta and companies that provide similar services need to get their collective acts together to maximize their security or we are all in very deep trouble.

2 Comments »

Okta Customers Targeted In Social Engineering Attacks

Posted in Commentary with tags , on September 7, 2023 by itnerd

Okta customers have been targeted in a social engineering scam the company said, and on Friday warned of social engineering attacks orchestrated by threat actors to obtain elevated administrator permissions: 

In recent weeks, multiple US-based Okta customers have reported a consistent pattern of social engineering attacks against their IT service desk personnel, in which the caller’s strategy was to convince service desk personnel to reset all Multi-factor Authentication (MFA) factors enrolled by highly privileged users.

The attackers then leveraged their compromise of highly privileged Okta Super Administrator accounts to abuse legitimate identity federation features that enabled them to impersonate users within the compromised organization.

That’s pretty scary. I’ll explain why in a moment. John Gunn, CEO, Token had this comment:

Cybercriminal organizations intentionally and smartly target the organizations that have the richest assets and that will pay the highest ransoms, and with that they focus on compromising the users that have the greatest privileges to gain immediate access to applications and data they are targeting. Because of Okta’s market dominance they are able to get a perspective not available to others and they share this with the market to the benefit of all.

So, why do I think that this is scary? It once again proves that the weakest link in cybersecurity is the people. This sort of attack will not work if people are properly trained and that training is constantly reinforced with “secret shopper” type exercises where people pretend to be threat actors and target the recipients of the training to see if the knowledge is retained. Thus companies need to get onto that train as quickly as possible to bolster their defences.

Leave a comment »

Okta Says Lapsus$ Breach Smaller Than First Thought…. I’m Not Sure I Buy That

Posted in Commentary with tags on April 20, 2022 by itnerd

Remember when Okta got pwned by Lapsus$, and it looked like over 300 customers were affected by this breach? Okta says an investigation into the January Lapsus$ breach concluded the incident’s impact was significantly smaller than expected. As in it only affected TWO customers.

Really?

I’m getting ahead of myself. Let’s start with this Tweet from Okta’s Co-founder and CEO:

Inside this Tweet is a report done by Okta’s Chief Security Officer David Bradbury. It’s very much worth reading, but I will hit the highlights for you:

  • The attacker only accessed the two active customer tenants after gaining control of a single workstation used by an engineer working for Sitel, the third-party customer support services provider at the center of the incident.
  • The attacker only had access to anything for 25 minutes before being shut down.
  • The attacker didn’t do anything of significance during that 25 minutes.
  • Okta is going to ensure that its services providers comply with new security requirements, including adopting Zero Trust security architecture and authenticating via Okta’s IDAM solution for all workplace apps.
  • Okta’s relationship with Sitel has been terminated and Okta is now directly managing all third-party devices with access to its customer support tools.

I am not sure I am buying this. Here’s why. Their original rundown of this event went like this according to Okta at the time:

  • The hack actually took place in January.
  • The security breach stemmed from someone gaining access to the credentials of a support engineer employed by a sub-contractor, Sitel.
  • Those credentials were then used to access up to 366 client accounts.
  • The company managed to suspend the engineer’s account within 70 minutes of the hack being detected.
  • The subsequent forensic analysis took more than two months.
  • The company didn’t really grasp the implications of this hack until much, much later.

So if you look at this version of events and compare it to today’s version of events, it’s radically different. Thus I have to look at this and ask why is it radically different. I suspect that others watching this story will be asking similar questions. And I will be waiting to see how Okta explains that. If they can.

UPDATE: I got some commentary from Lucas Budman CEO of TruU:

It is great to hear that Okta’s customers were less affected than assumed, however, this breach was preventable. People assume that they are protected by multi-factor authentication (MFA), but the reality is that multi-factor authentication is not truly multi.  Passwords and second factor (2FA) technologies are easily compromised. It is time for the industry to move away from using weak forms of identification and towards truly passwordless MFA based authentication.

Leave a comment »