Employee Is Accused of Using Personal Google Account on Work Laptop Due to Okta Hack

 Employee Is Accused of Using Personal Google Account on Work Laptop Due to Okta Hack

 


Okta is blaming a recent hack of its support system on a worker who used a laptop owned by the firm to access a personal Google account, disclosing credentials that allowed several Okta customers' data to be stolen.

In a succinct post-mortem, David Bradbury, the chief security officer of Okta, stated that the internal malfunction was the "most likely avenue" for the hack that affected hundreds of Okta clients, including the cybersecurity firms BeyondTrust and Cloudflare.We can verify that between September 28, 2023, and October 17, 2023, a threat actor obtained unauthorized access to files linked to 134 Okta customers—less than 1% of Okta customers—inside Okta's customer care system.
In a note that includes a thorough chronology of the occurrence, Bradbury stated that some of these files were HAR files that included session tokens that might be used for session hijacking attacks.

He claimed that five clients' valid Okta sessions were taken over by the threat actor using these session tokens.

According to Bradbury, the hackers made use of a system-stored service account that had been given access to examine and modify customer assistance cases.
The employee had retained the service account's login and password in their own Google account, he said.

"The compromise of the employee's personal Google account or personal device is the most likely avenue for exposure of this credential."Bradbury said that internal controls had failed to detect the hack.A unique log event type and ID are generated in relation to a file when a user opens and examines files connected to a support case.
Instead, as the threat actor in this attack did, a user will generate a whole different log event with a different record ID if they click directly to the Files tab in the customer support system.The chief security officer at Okta stated that his team's early inquiries were centered on support case access. Subsequently, a significant discovery was made when BeyondTrust disclosed an erroneous IP address linked to the threat actor.

According to Bradbury, "we identified the additional file access events associated with the compromised account with this indicator."Numerous cybercriminals have set their sights on Okta, using its infrastructure as a point of entry to breach other companies. IT service desk employees were the target of a sophisticated hacker outfit, according to Okta, which attempted to persuade them to reset multi-factor authentication (MFA) for highly-privileged users inside the targeted firm in September.

Okta claimed that hackers employed novel defense evasion and lateral movement techniques in that attack, but it has not disclosed any details about the threat actor or its ultimate objective. Although it's unclear if it's connected, a financially driven cybercrime campaign called 0ktapus targeted a large number of Okta clients last year.

Maxi_InfoNongin

My journey in the field of information technology has led me to explore a wide range of areas, from software development and network administration to cybersecurity and artificial intelligence. I am dedicated to staying at the forefront of technological advancements, as I believe that embracing innovation is essential in today's fast-paced digital landscape. Throughout my career, I have had the opportunity to work on various challenging projects, collaborating with diverse teams and organizations. I find great satisfaction in solving complex problems and helping businesses harness the power of technology to achieve their goals. But beyond my technical expertise, I am also committed to sharing my knowledge and fostering a community of lifelong learners.

Post a Comment

Please Select Embedded Mode To Show The Comment System.*

Previous Post Next Post