Account Takeover Fraud , Breach Notification , Cybercrime
Okta Breach Tied to Worker's Personal Google Account
Threat Actor Used Session Hijacking Technique to Access Files of 134 Okta CustomersDays after announcing a security compromise, cloud-based identity and authentication management provider Okta said that an unknown threat actor had accessed files of 134 customers after an employee signed in to a personal Google profile on the Chrome browser of an Okta-managed laptop.
See Also: Mitigating Identity Risks, Lateral Movement and Privilege Escalation
The laptop included access to an "unsecured" employee service account stored in Okta's customer support system, which grants permission to view and update customer support cases, according to a post on Friday.
"The username and password of the service account had been saved into the employee's personal Google account. The most likely avenue for exposure of this credential is the compromise of the employee's personal Google account or personal device," said Okta Chief Security Officer David Bradbury.
Okta said the attackers got hold of "HAR files that contained session tokens which could, in turn, be used for session hijacking attacks." The HAR is the short form for the HTTP Archive format, which tracks all the logging of a web browser's interaction with a website.
In a session hijacking attack, a malicious actor exploits the web session control mechanism, which is normally managed for a session token.
The San-Francisco-based firm said that these files contained session tokens that had been used for session hijacking attacks against Okta's five customers, three of whom have shared their response to this event.
The company first publicized that security compromise Oct. 20, warning that attackers had gained access to its customer support management system and stolen sensitive information uploaded by some customers (see: Okta Support Unit Breached Via Credential Stolen by Hackers).
Bradbury acknowledged Okta's inability to identify suspicious file downloads in customer support vendor logs for 14 days. He said that when a user "opens and views files attached to a support case, a specific log event type and ID is generated tied to that file."
The threat actor in this case navigated directly to the Files tab in the customer support system, which prompted an entirely different log event with a different record ID.
Bradbury said Okta's initial investigation focused on access to support cases and assessing the logs linked to those cases.
"On Oct. 13, 2023, BeyondTrust provided Okta Security a suspicious IP address attributed to the threat actor. With this indicator, we identified the additional file access events associated with the compromised account," he said.
Remediation Tasks
The company also released the following remediation tasks for its customers:
- Disable the compromised service account in the customer support system.
- Block the use of personal Google profiles with Google Chrome. Okta implemented a configuration option within Chrome Enterprise that prevents sign-in to Chrome on the company's Okta-managed laptops.
- Implement enhanced monitoring for the customer support system.
- Bind Okta administrator session tokens based on network location. This helps to combat the threat of session token theft against Okta administrators.
"Okta administrators are now forced to re-authenticate if we detect a network change. This feature can be enabled by customers in the early access section of the Okta admin portal," Bradbury said.