![]() ![]() ![]() The disclosure from Okta comes just weeks after casino giants Caesar’s Entertainment and MGM Resorts were hacked. Wylie declined to say exactly how many customers received alerts of a potential security issue, but characterized it as a “very, very small subset” of its more than 18,000 customers. ![]() 17, the company had identified and contained the incident - disabling the compromised customer case management account, and invalidating Okta access tokens associated with that account. 2 was not a result of a breach in its systems. In an interview with KrebsOnSecurity, Okta’s Deputy Chief Information Security Officer Charlotte Wylie said Okta initially believed that BeyondTrust’s alert on Oct. 3 and said they were fairly confident Okta had suffered an intrusion, and that he reiterated that conclusion in a phone call with Okta on October 11 and again on Oct. Maiffret said BeyondTrust followed up with Okta on Oct. “Our admin sent that over at Okta’s request, and 30 minutes after that the attacker started doing session hijacking, tried to replay the browser session and leverage the cookie in that browser recording to act on behalf of that user,” he said. When BeyondTrust reviewed the activity of the employee account that tried to create the new administrative profile, they found that - just 30 minutes prior to the unauthorized activity - one of their support engineers shared with Okta one of these HAR files that contained a valid Okta session token, Maiffret said. He said that on Oct 2., BeyondTrust’s security team detected that someone was trying to use an Okta account assigned to one of their engineers to create an all-powerful administrator account within their Okta environment. ![]() Maiffret emphasized that BeyondTrust caught the attack earlier this month as it was happening, and that none of its own customers were affected. BeyondTrust Chief Technology Officer Marc Maiffret said that alert came more than two weeks after his company alerted Okta to a potential problem. The security firm BeyondTrust is among the Okta customers who received Thursday’s alert from Okta. “In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it.” “Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens,” their notice continued. These are sensitive files because they can include the customer’s cookies and session tokens, which intruders can then use to impersonate valid users. Okta explained that when it is troubleshooting issues with customers it will often ask for a recording of a Web browser session (a.k.a. The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases.” 19, Okta said it “has identified adversarial activity that leveraged access to a stolen credential to access Okta’s support case management system. In an advisory sent to an undisclosed number of customers on Oct. Okta says the incident affected a “very small number” of customers, however it appears the hackers responsible had access to Okta’s support platform for at least two weeks before the company fully contained the intrusion. Okta, a company that provides identity tools like multi-factor authentication and single sign-on to thousands of businesses, has suffered a security breach involving a compromise of its customer support unit, KrebsOnSecurity has learned. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |