Employee Is Accused of Using Personal Google Account on Work Laptop Due to Okta Hack
Okta is blaming a recent hack of its support system on a
worker who used a laptop owned by the firm to access a personal Google account,
disclosing credentials that allowed several Okta customers' data to be stolen.
In a succinct post-mortem, David Bradbury, the chief security officer of Okta, stated that
the internal malfunction was the "most likely avenue" for the hack
that affected hundreds of Okta clients, including the cybersecurity firms
BeyondTrust and Cloudflare.We can verify that between September 28, 2023, and
October 17, 2023, a threat actor obtained unauthorized access to files linked
to 134 Okta customers—less than 1% of Okta customers—inside Okta's customer
care system.
In a note that includes a thorough chronology of the occurrence, Bradbury stated that some of
these files were HAR files that included session tokens that might be used for
session hijacking attacks.
He claimed that five clients' valid Okta sessions were taken over by the threat actor using
these session tokens.
According to Bradbury, the hackers made use of a system-stored service account that had been given access to examine and modify customer assistance cases.
The employee had retained the service account's login and password in their own
Google account, he said.
"The compromise of the employee's personal Google account or personal device is the
most likely avenue for exposure of this credential."Bradbury said that
internal controls had failed to detect the hack.A unique log event type and ID
are generated in relation to a file when a user opens and examines files
connected to a support case.
Instead, as the threat actor in this attack did, a user will generate a whole different log
event with a different record ID if they click directly to the Files tab in the
customer support system.The chief security officer at Okta stated that his
team's early inquiries were centered on support case access. Subsequently, a
significant discovery was made when BeyondTrust disclosed an erroneous IP
address linked to the threat actor.
According to Bradbury, "we identified the additional file access events associated with
the compromised account with this indicator."Numerous cybercriminals have
set their sights on Okta, using its infrastructure as a point of entry to
breach other companies. IT service desk employees were the target of a sophisticated hacker outfit, according to Okta, which attempted to persuade them to reset multi-factor authentication (MFA) for
highly-privileged users inside the targeted firm in September.
Okta claimed that hackers employed novel defense evasion and lateral movement techniques in that
attack, but it has not disclosed any details about the threat actor or its
ultimate objective. Although it's unclear if it's connected, a financially
driven cybercrime campaign called 0ktapus targeted a large number of Okta
clients last year.