Breach was detected and blocked before it granted access to attackers due to the enforcement of multifactor authentication. Credit: Shutterstock / Yurchanka Siarhei Attackers managed to breach identity and access management company Okta’s support system using stolen credentials and extracted valid customer session tokens from uploaded support files, according to a report by the firm. The strong multifactor authentication (MFA) policies enforced by one of the company’s impacted customers allowed it to detect the unauthorized access, block it, and report the breach to Okta. “Within the course of normal business, Okta support will ask customers to upload an HTTP Archive (HAR) file, which allows for troubleshooting of issues by replicating browser activity,” David Bradbury, Okta’s chief security officer, said in a blog post. “HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users.” The incident was uncovered by security engineers from BeyondTrust, an identity and access security solutions provider, whose in-house Okta administrator account was hijacked. Policy controls put in place by the company’s security team blocked a suspicious authentication attempt from an IP address in Malaysia. The attacker was prompted for MFA authentication BeyondTrust’s policy in the Okta environment was to only allow access to the Okta admin console from managed devices on which had been installed Okta Verify, a multifactor authentication application developed by Okta. Because of this policy, the attacker was prompted for MFA authentication when they tried to access the admin console, even though the token they stole provided them with a valid session. “It is important for Okta customers to enhance security policies through settings such as prompting admin users for MFA at every sign-in,” the BeyondTrust security team said in an advisory. “While this was within an existing session the attacker hijacked, Okta still views dashboard access as a new sign-in and prompts for MFA.” Additionally, the BeyondTrust admin account was configured to authenticate using a FIDO2-compliant device. FIDO2 is a passwordless authentication standard that uses public-key cryptography to validate users, a much more secure option than SMS-based implementations that are vulnerable to attacks such as SIM swapping and other man-in-the-middle techniques. This allowed BeyondTrust to quickly eliminate the possibility that the session token theft happened internally and to start suspecting that Okta had a security breach. That’s also because the unauthorized authentication happened 30 minutes after the BeyondTrust admin uploaded a HAR file to Okta’s support system as part of troubleshooting a support issue. HAR files are essentially browser recordings that allow the support engineer to replicate what the user was doing. A fake service account was created When the attacker failed to access the Okta admin dashboard they pivoted to accessing the account via the Okta API. This allowed them to create a fake service account that they named a fake service account named svc_network_backup. “Session cookies can be used to authenticate to the official Okta API and in many cases, these lack the policy restrictions that apply to the interactive admin console,” the BeyondTrust security team warns. “The attacker acted quickly but our detections and responses were immediate, disabling the account and mitigating any potential exposure.” Breach was tracked to stolen credentials BeyondTrust notified Okta of the suspicions, who then tracked the breach down to stolen credentials that provided the necessary access to view customer files in support tickets. The company said it notified all potentially impacted customers and revoked all session tokens embedded in files. It advises customers to sanitize cookies and session tokens from HAR files before uploading them and to review their Okta system logs for any suspicious sessions. The company’s advisory includes IP addresses that attackers used to access customer accounts and the majority of them are IP associated with commercial VPN services. Another company impacted in this incident was Cloudflare, which was also able to detect and block the misuse of its Okta credentials before Okta found the breach. The company strongly recommends that Okta customers implement hardware-based MFA. “Passwords alone do not offer the necessary level of protection against attacks,” Cloudflare said in its report. “We strongly recommend the usage of hardware keys, as other methods of MFA can be vulnerable to phishing attacks.” Investigate and respond to all unexpected password and MFA changes for your Okta instances and suspicious support-initiated events, the company advised. Ensure all password resets are valid and force a password reset for any under suspicion and ensure only valid MFA keys are present in the user’s account configuration. Related content news AT&T suffers critical breach impacting 73 million customers Data released on the dark web impacts 7.6 million existing account holders and 65.4 million past subscribers. By Shweta Sharma 01 Apr 2024 4 mins Data Breach feature Recruit for diversity: Practical ways to remove bias from the hiring process Changing the wording on job descriptions and introducing a diverse hiring panel are some of the ways to remove bias when hiring cybersecurity professionals. By Aimee Chanthadavong 01 Apr 2024 8 mins Careers feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff 01 Apr 2024 17 mins Technology Industry IT Skills Events news Top cybersecurity product news of the week New product and service announcements from Bedrock Security, GitGuardian, Legit Security, Nametag, and Cybereason and Observe By CSO staff 29 Mar 2024 70 mins Generative AI Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe