In an era where digital threats are evolving rapidly, the need for skilled security professionals is at an all-time high. Companies are grappling with a unique…
On October 20, 2023, Okta Security confirmed malicious activity that exploits stolen credentials, allowing unauthorized access to the company’s support case management system. Several other vendors such as BeyondTrust were also affected by the incident and have since shared their own disclosures. Overall, the incident has ignited substantial concerns over its capacity to trigger a supply chain compromise.
Coralogix’s Snowbit Security Research Centre (SRC) have researched the issue and confirmed that Coralogix has not been impacted at all.
We are sharing this advisory to create awareness about this breach, as well as share aspects that need to be investigated and best practices that should be followed by Coralogix customers to avoid any potential issues.
The breach was initially detected by security experts at BeyondTrust, an identity management company.
October 2, 2023 BeyondTrust’s security team noticed an attempt to log into an in-house Okta administrator account using a stolen cookie from Okta’s support system. BeyondTrust remediated the attack and notified Okta.
October 3, 2023 BeyondTrust asked Okta support to escalate the issue to Okta’s security team considering that the initial forensics pointed to the Okta support organization being compromised.
October 11-13, 2023 BeyondTrust and Okta held multiple Zoom meetings to discuss the situation and pinpoint the root cause.
October 19, 2023 Okta security leadership confirmed that they had an internal breach with BeyondTrust being one of their affected customers.
Within the course of normal business, Okta support asks customers to upload an HTTP Archive (HAR) file, which allows for troubleshooting of issues by replicating browser activity. HAR files can also contain sensitive data, including cookies and session tokens that malicious actors can use to impersonate valid users. Okta Support portal was compromised by a malicious actor using stolen credentials, giving them access to customer HAR files containing session information. This enabled the attackers to access customer sessions.
The following IoCs were found related to this breach. Security teams can look for these activities to determine whether they have been subjected to any unauthorized access.
Activity from the following IP addresses should be monitored for any indication of attacks or breach.
Okta points out that although the listed user-agents are legitimate, they might be uncommon in your environment, primarily due to the release of Chrome 99 in March 2022.
It is reported that around 170 of Okta’s customers were impacted and have been notified by Okta. If you are an Okta customer and have not been contacted, there is likely no impact to your Okta environment or support tickets. Some notable customers affected are Cloudflare, BeyondTrust, 1Password, and others.
Okta has worked with impacted customers to investigate the incident and taken measures to protect them including the revocation of embedded session tokens. In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it.
These days cyber threats are not just a possibility; they’re an inevitability that can cripple operations and erode customer trust. Having a dedicated SecOps team is critical to proactively secure digital assets. However, finding affordable and expert SecOps professionals is challenging.
Coralogix’s Snowbit SRC (Security Resource Center) fills that gap and boosts security operations without breaking the bank. Complementing our XDR (Extended Detection and Response) platform, the SRC comprises a group of experienced security analysts, researchers and threat hunting professionals who function as your 24/7 extended security team.
If you are not already a Snowbit customer, talk to your account manager today.