Versa Security Bulletin: Okta Customer Support Security Incident
December 5, 2023
Summary
On October 20, 2023, Okta disclosed a security incident affecting their customer support management system. In a note following that disclosure Okta said that from September 28, 2023, to October 17, 2023, a threat actor gained unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers, or less than 1% of Okta customers. Some of these files were HAR files that contained session tokens which were later successfully used in session hijacking attacks with Okta customers. Subsequent analysis by Okta found that the attacker behind its September data breach stole more information than it first discovered, including details for all users of its primary customer support system. On Nov. 29, 2023, Okta released a public statement about this incident with an update and recommended actions for Okta customers.
Details of the Security Incident
As per Okta, the hackers leveraged a service account stored in the system itself that was granted permissions to view and update customer support cases. During their investigation into the suspicious use of this account, Okta Security identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop. The username and password of the service account had been saved into the employee’s personal Google account. The most likely avenue for exposure of this credential was the compromise of the employee’s personal Google account or personal device.
On Nov 29, Okta disclosed that the threat actor ran and downloaded a report that contained the names and email addresses of all Okta customer support system users. All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in Okta FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor). The Auth0/CIC support case management system was also not impacted by this incident.
Recommendations
Given that names and email addresses were downloaded, Okta has assessed that there is an increased risk of phishing and social engineering attacks directed at these users. While 94% of Okta customers already require MFA for their administrators, Okta is recommending ALL Okta customers employ MFA and consider the use of phishing resistant authenticators to further enhance their security, such as Okta Verify FastPass, FIDO2 WebAuthn, or PIV or CAC smart cards, and refer to Okta product documentation to enable MFA for the admin console (Classic or OIE). Full details on Okta recommendations are available in the public statement released by Okta CSO David Bradbury on Nov 29, 2023.
Versa Networks Protections to Defend Against Network Compromise Attempts Following Okta Security Incident
Okta customers may be vulnerable to phishing and other social engineering attacks in the wake of Okta security incident. Phishing is often used to steal identity (login credentials) and credit card information but could also lead to endpoint attacks in which the user device or browser is compromised, leading to network attacks such as ransomware.
Versa security protections protect customers against identity and endpoint attacks arising from Okta security incident:
- Versa Secure Private Access (ZTNA) – Versa augments MFA with rigorous device posture checks at the time of connection to validate user device integrity. Continuous posture/risk assessment for changes in user security posture or endpoint status is applied during the active connection, and real time policy updates or remediation techniques applied.
Versa ZTNA extends to the local on-premises environments, and Zero Trust access is similarly enforced for users in the branch, campus or data center, limiting lateral movement inside the network.
- Versa Secure Web Gateway (SWG) – Versa SWG filters and inspects all outbound and inbound web traffic, with deep packet inspection and URL/content filtering to detect and stop malware and unauthorized content downloads. In the event of a user clicking on a malicious URL in a phishing email, Versa SWG will block access to the site, preventing malware from being downloaded to the user’s device.
- Versa Data Loss Prevention (DLP) – In the event of compromise, DLP scanning of email and inline Web, SaaS, private and collaboration applications will prevent exfiltration of sensitive information via the network. Versa DLP monitors, detects, and blocks illegal or unauthorized exfiltration of data while it is in motion across the network, using 25 discrete content types and multiple scanning methods.
References
[1] https://sec.okta.com/harfiles
