Attackers managed to breach identity and access management company Okta’s support system using stolen credentials and extracted valid customer session tokens from uploaded support files, according to a report by the firm.
The strong multifactor authentication (MFA) policies enforced by one of the company’s impacted customers allowed it to detect the unauthorized access, block it, and report the breach to Okta.
“Within the course of normal business, Okta support will ask customers to upload an HTTP Archive (HAR) file, which allows for troubleshooting of issues by replicating browser activity,” David Bradbury, Okta’s chief security officer, said in a blog post. “HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users.”
The incident was uncovered by security engineers from BeyondTrust, an identity and access security solutions provider, whose in-house Okta administrator account was hijacked. Policy controls put in place by the company’s security team blocked a suspicious authentication attempt from an IP address in Malaysia.
The attacker was prompted for MFA authentication
BeyondTrust’s policy in the Okta environment was to only allow access to the Okta admin console from managed devices on which had been installed Okta Verify, a multifactor authentication application developed by Okta. Because of this policy, the attacker was prompted for MFA authentication when they tried to access the admin console, even though the token they stole provided them with a valid session.
“It is important for Okta customers to enhance security policies through settings such as prompting admin users for MFA at every sign-in,” the BeyondTrust security team said in an advisory. “While this was within an existing session the attacker hijacked, Okta still views dashboard access as a new sign-in and prompts for MFA.”