Identity and access management tech firm Okta on Friday warned that hackers broke into its support case management system and stole sensitive data that can be used to impersonate valid users.
A security notice from Okta security chief David Bradbury said the company found “adversarial activity” that leveraged access to a stolen credential to access the support case management system.
“The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases,” Bradbury said, cautioning that the stolen data includes sensitive cookies and session tokens for additional attacks.
From the Okta advisory:
Within the course of normal business, Okta support will ask customers to upload an HTTP Archive (HAR) file, which allows for troubleshooting of issues by replicating browser activity. HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users.
Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens. In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it.
Bradbury said the compromised Okta support case management system is separate from the production Okta service, which was not impacted and remains fully operational. He said the Auth0/CIC case management system was also not impacted by this incident.
Okta released a list of suspicious IP addresses (the majority are commercial VPN nodes) and recommended that customers search System Logs for any given suspicious session, user or IP.
In a separate alert, security firm BeyondTrust said it was a target of a cyberattack linked to this Okta support system breach.
“The incident began when BeyondTrust security teams detected an attacker trying to access an in-house Okta administrator account using a valid session cookie stolen from Okta’s support system. Custom policy controls blocked the attacker’s initial activity, but limitations in Okta’s security model allowed them to perform a few confined actions,” BeyondTrust said.
Okta has found itself in the crosshairs of multiple hacking groups that target its infrastructure to break into third-party organizations.
Just last month, Okta said a sophisticated hacking group targeted IT service desk personnel in an effort to convince them to reset multi-factor authentication (MFA) for high-privilege users within the targeted organization.
In that attack, Okta said hackers used new lateral movement and defense evasion methods, but it has not shared any information on the threat actor itself or its ultimate goal. It’s unclear if it’s related, but last year many Okta customers were targeted as part of a financially motivated cybercrime campaign named 0ktapus.