Okta Threat Advisory from Coralogix

On October 20, 2023, Okta Security confirmed malicious activity that exploits stolen credentials, allowing unauthorized access to the company’s support case management system. Several other vendors such as BeyondTrust were also affected by the incident and have since shared their own disclosures. Overall, the incident has ignited substantial concerns over its capacity to trigger a supply chain compromise.

Coralogix’s Snowbit Security Research Centre (SRC) have researched the issue and confirmed that Coralogix has not been impacted at all.

We are sharing this advisory to create awareness about this breach, as well as share aspects that need to be investigated and best practices that should be followed by Coralogix customers to avoid any potential issues.

Detection of malicious activity

The breach was initially detected by security experts at BeyondTrust, an identity management company. 

Timeline of detection

October 2, 2023 BeyondTrust’s security team noticed an attempt to log into an in-house Okta administrator account using a stolen cookie from Okta’s support system. BeyondTrust remediated the attack and notified Okta.

October 3, 2023 BeyondTrust asked Okta support to escalate the issue to Okta’s security team considering that the initial forensics pointed to the Okta support organization being compromised.

October 11-13, 2023 BeyondTrust and Okta held multiple Zoom meetings to discuss the situation and pinpoint the root cause.

October 19, 2023 Okta security leadership confirmed that they had an internal breach with BeyondTrust being one of their affected customers.

Attack Vector

Within the course of normal business, Okta support asks customers to upload an HTTP Archive (HAR) file, which allows for troubleshooting of issues by replicating browser activity. HAR files can also contain sensitive data, including cookies and session tokens that malicious actors can use to impersonate valid users. Okta Support portal was compromised by a malicious actor using stolen credentials, giving them access to customer HAR files containing session information. This enabled the attackers to access customer sessions.

Indicator of Compromise (IoC)

The following IoCs were found related to this breach. Security teams can look for these activities to determine whether they have been subjected to any unauthorized access.

• Access to Okta admin functions through proxy (isproxy: true in Okta log events)
• Access to Okta admin functions, from VPS/hosting providers (especially: VPS Malaysia, LeaseWeb)
• Access to Okta with this user agent for an outdated version of Chrome for MacOS
  • Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6)
  • AppleWebKit/537.36 (KHTML, like Gecko)
  • Chrome/99.0.3538.77 Safari/537.36
• Okta account created via REST API with name svc_network_backup, or another name mimicking existing, legitimate accounts
• Activity against endpoints like /reports/password-health/async_csv_download_schedule?, which are typically used from Okta Admin Console UI only, without any corresponding admin console login
• Okta activity for a user without any clear indication that the user authenticated (e.g. a user.session.start event for that user from a similar geographic area)
• Admin console login attempts that are denied by policy with a subsequent successful login to admin console from the same user within an hour

Malicious IP Addresses

Activity from the following IP addresses should be monitored for any indication of attacks or breach.

• 23.105.182.19
• 104.251.211.122
• 202.59.10.100
• 162.210.194.35 (BROWSEC VPN)
• 198.16.66.124 (BROWSEC VPN)
• 198.16.66.156 (BROWSEC VPN)
• 198.16.70.28 (BROWSEC VPN)
• 198.16.74.203 (BROWSEC VPN)
• 198.16.74.204 (BROWSEC VPN)
• 198.16.74.205 (BROWSEC VPN)
• 198.98.49.203 (BROWSEC VPN)
• 2.56.164.52 (NEXUS PROXY)
• 207.244.71.82 (BROWSEC VPN)
• 207.244.71.84 (BROWSEC VPN)
• 207.244.89.161 (BROWSEC VPN)
• 207.244.89.162 (BROWSEC VPN)
• 23.106.249.52 (BROWSEC VPN)
• 23.106.56.11 (BROWSEC VPN)
• 23.106.56.21 (BROWSEC VPN)
• 23.106.56.36 (BROWSEC VPN)
• 23.106.56.37 (BROWSEC VPN)
• 23.106.56.38 (BROWSEC VPN)
• 23.106.56.54 (BROWSEC VPN)

User-Agents

Okta points out that although the listed user-agents are legitimate, they might be uncommon in your environment, primarily due to the release of Chrome 99 in March 2022.

• Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36 (Legitimate, but older user-agent)
• Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.83 Safari/537.36 (Legitimate, but older user-agent)

Who is impacted

It is reported that around 170 of Okta’s customers were impacted and have been notified by Okta. If you are an Okta customer and have not been contacted, there is likely no impact to your Okta environment or support tickets. Some notable customers affected are Cloudflare, BeyondTrust, 1Password, and others.

Okta response and recommendations

Okta has worked with impacted customers to investigate the incident and taken measures to protect them including the revocation of embedded session tokens. In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it.

Actions taken by Coralogix’s Snowbit SRC team

• We have proactively reviewed Okta logs and completed related threat hunting activities for Snowbit SRC customer environments.
• The Snowbit SRC team has already reached out to relevant customers in case of any suspicious activity.
• We have reviewed the 21 alerts in our Okta extension and found them to be adequate to signal related activity.

Recommendations for Coralogix customers

• Add policy controls in Okta to restrict access to admin console from specific IPs/Geos
• Consider adjusting Okta global session policy to issue an MFA challenge at every sign-on, which will prevent attackers with a stolen cookie from accessing the main dashboard
• Limit length of Okta sessions and take other steps to reduce the window during which a stolen cookie can be used
• Be aware that admin API actions authenticated via session cookie are only covered by the Global Session Policy, which is often less restrictive than other policies
• Be aware that session hijacking allows attackers to bypass MFA
• Require strong hardware MFA for all Okta admins to prevent token hijacking via attacker-in-the-middle phishing
• Sanitize the HAR files before sharing them to prevent the exposure of sensitive credentials and tokens

Snowbit SRC

These days cyber threats are not just a possibility; they’re an inevitability that can cripple operations and erode customer trust. Having a dedicated SecOps team is critical to proactively secure digital assets. However, finding affordable and expert SecOps professionals is challenging. 

Coralogix’s Snowbit SRC (Security Resource Center) fills that gap and boosts security operations without breaking the bank. Complementing our XDR (Extended Detection and Response) platform, the SRC comprises a group of experienced security analysts, researchers and threat hunting professionals who function as your 24/7 extended security team.

If you are not already a Snowbit customer, talk to your account manager today.