(CTN News) – It has been discovered that threat actors broke into Okta’s support case management system and stole authentication data, including cookies and session tokens, which can be exploited to impersonate valid users in future attacks.
To assist customers with solving their problems as well as replicating browser activity, Okta asks customers to upload an HTTP Archive (HAR) file in order to support them in resolving their problems.
It is important to note that HAR files can also contain sensitive information, such as authentication information.
In the course of normal business, Okta support will request that customers upload an HTTP Archive (HAR) file, which allows for troubleshooting of issues by replicating browser activity for troubleshooting purposes.
According to the data breach notification published by the company, HAR files can also contain sensitive data, such as cookies and session tokens, which malicious actors can use to impersonate valid users.
According to an advisory published by Okta Security, the company has identified adversarial activity using stolen credentials to gain access to Okta’s support case management system by abusing stolen credentials.
In some recent support cases, it appears that the attackers were able to gain access to files uploaded by certain Okta customers.
According to the company, the compromised system is separate from the production Okta service, which was not affected by the breach.
It has been confirmed by the company that the Auth0/CIC case management system is not impacted by this issue, and the company has already notified all affected customers.
Okta has worked with impacted customers to investigate the security breach and has also announced that it has taken measures to protect them from future breaches.
In response to this issue, the company revoked embedded session tokens and recommended that all credentials and cookies/session tokens within a HAR file be sanitized before sharing them.
In the advisory, there is a list of suspicious IP addresses that customers can use to detect potentially malicious activity on their systems.
As a rule of thumb, we recommend that you refer to our previously published advice on how to search System Log for any suspicious sessions, users, or IP addresses.
The majority of the indicators in our enrichment information have been identified as commercial VPN nodes, which is an important point to note.” concludes the advisory.
Okta announced in early September that in recent weeks, threat actors have been using social engineering attacks to gain elevated administrator permissions on customers’ systems.
In these attacks, the attackers targeted the IT service desk staff in order to trick them into resetting all multi-factor authentication (MFA) factors that had been enrolled by highly privileged users. It should be noted that the company did not attribute the attack to a specific threat actor.