Okta's Support System Security Incident

High Level Summary of the Security Advisory

Okta offers a suite of robust identity and access management solutions, ensuring secure user access to applications and data. It encompasses single sign-on, multi-factor authentication, adaptive authentication, user lifecycle management, API access management, and seamless integration with third-party security solutions.

On Oct 20, 2023 Okta issued an advisory, confirming the identification of an adversarial activity that made use of a stolen credential to gain unauthorized access to Okta's support case management system. The threat actor successfully accessed files uploaded by certain Okta customers within recent support cases. Within the course of normal business, Okta support will ask customers to upload an HTTP Archive (HAR) file, which allows for troubleshooting of issues by replicating browser activity. HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users. Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens.

In their advisory, Okta highlighted the segregation of the Okta support case management system from the fully operational production Okta service, which remains unaffected by this incident. Furthermore, as per the advisory, the incident did not impact the Auth0/CIC case management system.

Should I be concerned?

Maybe. It depends on if you have a relationship with Okta. Click on the link below to find out if you have a relationship with this vendor. If you do, follow the recommendations below.

Note: this link specifically references vendor directory records. You may also want to search your Relationship List for "Okta” to confirm.

What to do if you have an active relationship with Okta

As stated in the advisory, Okta ensured that all affected customers have received notifications regarding this incident and if you are an Okta customer and have not received an additional message or been contacted through another method, it means that there is no impact on your Okta environment or your support tickets.

Additionally, Okta has collaborated with affected customers to conduct investigations and has implemented protective measures, including revoking embedded session tokens. As a general practice, Okta has recommended sanitizing all credentials, cookies, and session tokens within a HAR file before sharing it. 

Okta has recommended customers to remain vigilant and be on the lookout for any suspicious activity. Customers may refer to Okta’s previously published guidance on searching the System Log for any suspicious sessions, users, or IP addresses. Furthermore, they have also noted that, as per their enrichment information, the majority of the indicators are indicative of commercial VPN nodes. Furthermore, they note that their enrichment data indicates that most of the indicators are linked to commercial VPN nodes.

Okta has provided the following Indicators of Compromise to aid customers who want to conduct their own threat hunting activities:

IP Addresses

• 23.105.182.19
• 104.251.211.122
• 202.59.10.100
• 162.210.194.35 (BROWSEC VPN)
• 198.16.66.124 (BROWSEC VPN)
• 198.16.66.156 (BROWSEC VPN)
• 198.16.70.28 (BROWSEC VPN)
• 198.16.74.203 (BROWSEC VPN)
• 198.16.74.204 (BROWSEC VPN)
• 198.16.74.205 (BROWSEC VPN)
• 198.98.49.203 (BROWSEC VPN)
• 2.56.164.52 (NEXUS PROXY)
• 207.244.71.82 (BROWSEC VPN)
• 207.244.71.84 (BROWSEC VPN)
• 207.244.89.161 (BROWSEC VPN)
• 207.244.89.162 (BROWSEC VPN)
• 23.106.249.52 (BROWSEC VPN)
• 23.106.56.11 (BROWSEC VPN)
• 23.106.56.21 (BROWSEC VPN)
• 23.106.56.36 (BROWSEC VPN)
• 23.106.56.37 (BROWSEC VPN)
• 23.106.56.38 (BROWSEC VPN)
• 23.106.56.54 (BROWSEC VPN)

--------------------------------------------------------------

We are actively working on future product enhancements related to these types of events. If you found this information helpful or have additional feedback please let us know at product@visotrust.com. 

For any additional questions, please reach out to your customer success manager.

Stay ahead of the curve with our Public Risk Notice Alerts!

Get the latest information and news to your inbox on cybersecurity breaches and third-party vendor risks that could impact your organization.

Sign up today to fortify your organization's security.

The VISO TRUST team

—----------—----------—-----