Netanel Azoulay


Okta Security Breach

Trust No One? Always Verify?

In a recent security incident, identity services provider Okta reported that attackers gained unauthorized access to its support case management system using stolen credentials. This breach allowed the threat actors to exfiltrate sensitive active cookies and tokens uploaded by certain Okta customers. Then, the attackers maliciously used these active session cookies to gain unauthorized but authenticated access to Okta’s customers, bypassing undisturbed the MFA mechanisms. Notably, this incident highlights a persistent security issue in Okta known since August 2022, when Mesh first published it. Attackers can exploit valid session cookies to stealthily impersonate remote employees, a profoundly alarming issue for security leaders.

Attack Details

The security breach came to light when Okta’s Chief Security Officer, David Bradbury, revealed that the attacker exploited a stolen credential to gain unauthorized access to the support system. This system was also used to store HTTP Archive (HAR) files, replicating end-user or administrator errors for troubleshooting purposes. These files, however, contained highly sensitive data, including cookies and session tokens, which malicious actors can exploit to impersonate valid users, bypassing all security controls on their way to Okta’s customers’ kingdom.

The Attack Explained Step-by-Step

1# Initial Compromise

Attackers obtain stolen credentials and identify Okta’s support management system as a target.

2# Unauthorized Access (ATT&CK: T1078)

Attackers use stolen credentials and gains unauthorized access to Okta’s support management system.

3# Data Exfiltration (ATT&CK: T1530)

Attackers access .HAR files containing cookies and session tokens.

4# Unauthorized Access Using MFA Bypass Technique (ATT&CK: T1539 / T1550.004)
Attackers exploit a Multi-Factor Authentication (MFA) bypass technique to gain unauthorized access to Okta’s customers environments.

5# Detection by BeyondTrust:

October 2, 2023:

BeyondTrust detects an unauthorized attempt to log into an Okta administrator account using a stolen cookie.

6# Alerting Okta:

October 3, 2023:

BeyondTrust contacts Okta to report suspicious activity and share forensic data.

7# Okta’s Delayed Response:

Over two weeks passed before Okta confirmed the breach on October 19, 2023.

8# Attack Thwarted by BeyondTrust:

BeyondTrust’s custom policy controls limit the attacker’s actions, preventing extensive damage.

9# Cloudflare’s Involvement:

October 18, 2023: Cloudflare detects malicious activity related to Okta’s breach on its servers.

10# Cloudflare’s Response:

Cloudflare’s Security Incident Response Team promptly contains the incident and confirms no impact on customer data.

11# Attacker’s Pivot:

Attackers leverage stolen authentication tokens to pivot into Cloudflare’s Okta instance with administrative privileges.

12# Communication with Okta:

Cloudflare alerts Okta about the breach, and it’s discovered that the attacker has already infiltrated Cloudflare’s environment.

13# Observations:

Cloudflare notes that the attackers compromised two Cloudflare employee accounts within the Okta platform.

14# Customer Notifications and Remediation:

Okta notifies affected customers, takes protective measures, and advises customers to sanitize HAR files.

The Essential Role of Identity Threat Detection & Response (ITDR)

Identity Threat Detection and Response (ITDR) is a crucial component of modern cybersecurity strategies. In today’s digital landscape, where identity theft and unauthorized access pose significant risks, ITDR plays a pivotal role in safeguarding organizations and their sensitive data.

Protecting Against Identity-Based Attacks

ITDR is designed to detect and respond to identity-based attacks, among the most prevalent threats in the cybersecurity landscape. Attackers often target user identities to gain unauthorized access to systems, steal data, or launch malicious activities. ITDR solutions are specifically engineered to identify suspicious activities associated with user identities, mitigating the risks of such attacks.

  1. Early Threat Detection

ITDR solutions employ advanced algorithms and machine learning to monitor user behavior and access patterns continuously. By analyzing these patterns, ITDR can identify anomalies or deviations from the norm that may indicate a security threat. Early detection is crucial for preventing attacks before they escalate and cause substantial damage.

  1. Reducing False Positives

One of the challenges in cybersecurity is distinguishing between legitimate user behavior and malicious activities. ITDR solutions are designed to minimize false positives by baselining normal user behavior and flagging only genuinely suspicious actions. This accuracy ensures that security teams can focus on genuine threats rather than chasing false alarms.

  1. Protection Beyond Perimeter Security

Traditional perimeter security measures, such as firewalls and intrusion detection systems, may not adequately protect against identity-based threats. ITDR operates within the network, focusing on activities occurring after initial access has been granted. This inside-out approach is essential for safeguarding against threats that may already exist within the organization.

  1. Compliance and Regulatory Requirements

Many industries are subject to strict regulatory requirements concerning data protection and privacy. ITDR helps organizations maintain compliance by monitoring user access, auditing actions, and reporting suspicious activities. This is crucial for meeting regulatory obligations and avoiding costly penalties.

  1. Mitigating Insider Threats

Insider threats, intentional or unintentional, can harm an organization’s security. ITDR solutions not only detect external threats but also monitor the actions of employees and authorized users. This helps identify insider threats and prevent data breaches or unauthorized access within the organization.

  1. Rapid Incident Response:

ITDR triggers an automated or manual response process when it detects a threat or anomaly. This swift incident response capability minimizes the dwell time of threats, limiting their potential impact. Timely responses can mean the difference between a minor incident and a major security breach.

  1. Continuous Improvement

ITDR solutions continually adapt and improve by learning from evolving threat landscapes. They analyze historical data and incorporate threat intelligence to enhance their detection capabilities. This ongoing improvement ensures that organizations stay ahead of emerging threats.

  1. Protection of Digital Identities

In today’s digital world, identities are the keys to the kingdom. ITDR safeguards these digital identities, protecting not only users but also the organization’s reputation and trustworthiness. Preventing identity theft and misuse is paramount for maintaining credibility.

In conclusion, ITDR is an indispensable element of a robust cybersecurity strategy. Its ability to proactively detect, respond to, and mitigate identity-based threats is essential for safeguarding sensitive data, maintaining compliance, and preserving an organization’s integrity in the face of evolving cyber threats. Implementing ITDR is not just an option; it’s necessary in today’s dynamic threat landscape.

ITDR? Book a Demo Today With Mesh!

Remember, prevention is essential, but detection and response are equally crucial in the battle against cyber threats. Mesh Security is the world’s first Zero Trust Posture Management (ZTPM) solution that helps organizations drive contextual and comprehensive prevention, detection, and response, including ITDR and ISPM (Identity Security Posture Management), strengthening compatibility between controls and collaboration across teams to create a safer digital landscape for modern enterprises. By combining prevention, detection, and response strategies, Mesh can empower your organization with an enhanced and agile Zero Trust posture that dynamically adapts to your business.

Okta’s Response

In response to the incident, Okta took swift action. During the investigation, the company collaborated with affected customers and revoked session tokens embedded in shared HAR files. To prevent further abuse of such tokens, Okta advises all customers to sanitize their HAR files before sharing them, ensuring that sensitive credentials and cookies/session tokens are not included.

Okta emphasized that its support case management system is separate from its production identity service. This delineation ensures that the incident did not impact the operational integrity of the leading service, which remains fully functional.

Okta proactively notified all customers whose environment or support tickets were impacted by the breach. Customers who did not receive an alert can rest assured that this incident did not affect them.

This security breach is not an isolated event for Okta. Over the past two years, the company has faced multiple security incidents, including data exposures and source code thefts. These incidents highlight the persistent threat landscape that organizations like Okta must navigate.

5 2 votes
Article Rating
Notify of
Newest Most Voted
Inline Feedbacks
View all comments
Kerry Cohen
Kerry Cohen
3 months ago

A comprehensive conclusion of the incident, thanks for sharing!

Tom Le
3 months ago

Great visualization. It appears steps #2 and #4 did not require MFA, but what about step #1?