Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Attack on Otka support systems: HAR files and session tokens
Introduction
We learned about an attack on Okta, one of the leading identity and authentication providers, last October. It has more than 15,000 customers using its strong identity services with very important industry references. This is not the first time cybercriminals have used supply chain attacks on major customers as a method of gaining access to their internal systems.
Another attack on Okta in January 2022 resulted in the leak of customer data on dark web forums by the Lapsus$ group. Also in August 2022, Okta OTPs sent via SMS were stolen by the Scatter Swine group after gaining unauthorized access to the Twillio cloud communications platform.
This chain of events reminds us of the need for a holistic perspective in the security posture of enterprises in this hyper-connected environment in which we move today. You must consider the supply chain in your threat model.
Chronology of the attack
This time the attack was on Okta's customer support systems. This is a system isolated from the main ones and is used for customer incident resolution.
The attack was initially detected by BeyondTrust. In this post, they describe what happened in detail:
- October 2, 2023: BeyondTrust's security team detected and remediated an identity-centric attack on an internal Okta administrator account using a cookie stolen from Okta's support system and alerted Okta itself.
- October 3, 2023: Okta support was asked to escalate it to the enterprise security team, as early forensic evidence pointed to a compromise within Okta's support organization.
- October 11, 2023, and October 13, 2023: video calls were held with Okta's security team to explain details that pointed to possible compromise.
- October 19, 2023: Okta's security team confirmed that they had suffered an internal breach and that BeyondTrust was one of their affected customers.
Although specific details about the exposed data were not disclosed, it is known that the attacked system contained HTTP Archive (HAR) files.
What are HAR files, what are they used for and how are they generated?
Okta's help website details what HAR files are: a format used to record browser activity for troubleshooting purposes. Okta uses these HAR files to replicate user or administrator errors and points out how to generate these files in the major browsers Chrome, Firefox, and Safari.
Session tokens, a double-edged sword
HAR files if not properly sanitized, as Okta's own help website warns, can contain sensitive data such as cookies and session tokens, which are essential for maintaining user sessions. Attackers can potentially use this information to impersonate users or hijack their accounts.
Fortunately, BeyondTrust's security team required MFA authentication on all interactive access to its systems. Passwordless authentication, on a FIDO2-compliant device, which is more robust to attacks such as SIM-swapping or man-in-the-middle attacks. In this way, the attacker was asked for a credential he did not have and access was thwarted.
Cloudfare, which subsequently joined the list of known customers affected by the attack, published an article with recommendations along the same lines of using MFA to protect unauthorized access and in particular the use of hardware-based MFA.
If you want more information about the FIDO2 standard and the importance of access control we refer you to the post of our colleagues David Prieto and Rodrigo Rojas.
Impact
Once the incident became known, the impact was evident with a loss in value of Okta's shares on the NASDAQ stock exchange of more than 10% in a single day and more than 17% accumulated in the last month.
Little is known so far from the perspective of Okta's customers beyond the few of the identity provider's customers who have made their impact public and who claim to have mitigated the attack on their systems without gaining access to end-customer information. An Okta official has estimated the number of customers affected at 1%, without giving a definite figure.
Conclusions
In an official statement from Okta, it is assured that steps have been taken to notify all customers whose environments or support tickets were affected by the attack. If customers have not received an alert, their data remains secure. Sanitization of HAR files prior to uploading to your support platform is also recommended.
Action points for Okta
- Improving on the speed of confirming an attack is critical to provide time, a vital resource, for the protection of the customer systems you service.
- Perhaps it would be possible to perform this sanitization in an automated way within Okta's own support platform prior to its storage in the systems, so as not to leave it solely in the hands of customers and their discretion. In this sense, Cloudfare has recently published a HAR file sanitizer that works in client mode so privacy is guaranteed, visit the repo if you want to mount it locally.
Action points for customers
· Incorporate robust multi-factor authentication mechanisms MFA (Multi-Factor Authentication), particularly those based on hardware, so that simply holding a session token does not allow access to internal systems.
Supply chain attacks will continue to grow in popularity as attackers will always look for the weakest link to penetrate organizations' systems.
From a technical perspective, these risks are more difficult to manage beyond the inclusion of legal clauses in service contracts that will allow actions from a legal standpoint. However, they are ineffective in managing an in-flight incident due to the complexity and lack of visibility of shared architectures.
.jpg "Cyber Security strategies to protect the financial sector")
