Attackers managed to breach identity and access management company Okta’s support system using stolen credentials and extracted valid customer session tokens from uploaded support files, according to a report by the firm.
The strong multifactor authentication (MFA) policies enforced by one of the company’s impacted customers allowed it to detect the unauthorized access, block it, and report the breach to Okta.
“Within the course of normal business, Okta support will ask customers to upload an HTTP Archive (HAR) file, which allows for troubleshooting of issues by replicating browser activity,” David Bradbury, Okta’s chief security officer, said in a blog post. “HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users.”
The incident was uncovered by security engineers from BeyondTrust, an identity and access security solutions provider, whose in-house Okta administrator account was hijacked. Policy controls put in place by the company’s security team blocked a suspicious authentication attempt from an IP address in Malaysia.
The attacker was prompted for MFA authentication
BeyondTrust’s policy in the Okta environment was to only allow access to the Okta admin console from managed devices on which had been installed Okta Verify, a multifactor authentication application developed by Okta. Because of this policy, the attacker was prompted for MFA authentication when they tried to access the admin console, even though the token they stole provided them with a valid session.
“It is important for Okta customers to enhance security policies through settings such as prompting admin users for MFA at every sign-in,” the BeyondTrust security team said in an advisory. “While this was within an existing session the attacker hijacked, Okta still views dashboard access as a new sign-in and prompts for MFA.”
Additionally, the BeyondTrust admin account was configured to authenticate using a FIDO2-compliant device. FIDO2 is a passwordless authentication standard that uses public-key cryptography to validate users, a much more secure option than SMS-based implementations that are vulnerable to attacks such as SIM swapping and other man-in-the-middle techniques.
This allowed BeyondTrust to quickly eliminate the possibility that the session token theft happened internally and to start suspecting that Okta had a security breach. That’s also because the unauthorized authentication happened 30 minutes after the BeyondTrust admin uploaded a HAR file to Okta’s support system as part of troubleshooting a support issue. HAR files are essentially browser recordings that allow the support engineer to replicate what the user was doing.
A fake service account was created
When the attacker failed to access the Okta admin dashboard they pivoted to accessing the account via the Okta API. This allowed them to create a fake service account that they named a fake service account named svc_network_backup.
“Session cookies can be used to authenticate to the official Okta API and in many cases, these lack the policy restrictions that apply to the interactive admin console,” the BeyondTrust security team warns. “The attacker acted quickly but our detections and responses were immediate, disabling the account and mitigating any potential exposure.”
Breach was tracked to stolen credentials
BeyondTrust notified Okta of the suspicions, who then tracked the breach down to stolen credentials that provided the necessary access to view customer files in support tickets. The company said it notified all potentially impacted customers and revoked all session tokens embedded in files.
It advises customers to sanitize cookies and session tokens from HAR files before uploading them and to review their Okta system logs for any suspicious sessions. The company’s advisory includes IP addresses that attackers used to access customer accounts and the majority of them are IP associated with commercial VPN services.
Another company impacted in this incident was Cloudflare, which was also able to detect and block the misuse of its Okta credentials before Okta found the breach. The company strongly recommends that Okta customers implement hardware-based MFA.
“Passwords alone do not offer the necessary level of protection against attacks,” Cloudflare said in its report. “We strongly recommend the usage of hardware keys, as other methods of MFA can be vulnerable to phishing attacks.”
Investigate and respond to all unexpected password and MFA changes for your Okta instances and suspicious support-initiated events, the company advised. Ensure all password resets are valid and force a password reset for any under suspicion and ensure only valid MFA keys are present in the user’s account configuration.