Update: Okta Breach

THE THREAT

Update to the eSentire original advisory on the Okta Security Incident from October 20, 2023.

On November 29th, 2023, Okta released additional information on the October security incident that impacted the company. Okta has confirmed that threat actors were able to download a report containing customer names and email addresses. This impacted all Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers, excluding FedRamp High and DoD IL4 environments. Stolen information has not been observed being used in real-world attacks at this time, but threat actors may employ names and email addresses to perform phishing and other social-engineering type attacks.

Impacted Okta clients are recommended to operate under heightened security awareness, instruct employees on the risks of malicious emails, and enforce the use of Multi-Factor Authentication (MFA) to reduce the impact of compromised credentials.

What we’re doing about it

• eSentire is actioning all necessary recommendations:
  • eSentire Multi-Factor Authentication in place
  • The process of reauthenticating Administrative IP address changes is underway
  • eSentire will enforce the 12-hour Admin timeout with a 15-minute idle time out when this feature becomes available
• The eSentire Threat Response Unit (TRU) has performed network sweeps and notified any impacted MDR for Network customers
• eSentire has existing MDR for Log detections in place to detect abnormal Okta abuse. Additionally, TRU is actively tracking this event for additional details and detection opportunities where applicable data is present
• eSentire's TRU has performed threat hunts related to the disclosed information in the first notice provided by Okta
• eSentire's CISO team has verified account controls and validated with our critical vendors, across our Third-Party Risk Management process, that they are also taking necessary steps to ensure their security
• Our Threat Intelligence team is actively monitoring reports, regarding the incident, for further developments and detection opportunities

What you should do about it

• If you hold an Okta tenant, enforce the use of Multi-Factor Authentication (MFA) to reduce the value of compromised credentials
• Enable Admin Session Binding, as outlined in the November 29th Okta Update
• Enable the Admin Session Timeout feature when it becomes available in January 2024
• Ensure end user phishing training includes information on recent adversary tactics, such as AitM and QR code abuse

Additional information

In the October 2023 attack, threat actors targeted Okta's support case management system, which is separate from the primary Okta service. HAR files, uploaded by customers for troubleshooting, can contain sensitive information, emphasizing the importance of sanitizing such files before sharing.

Impacted System: 

Okta Support Case Management System

References:

[1] https://www.esentire.com/security-advisories/okta-breach
[2] https://sec.okta.com/harfiles
[3] https://www.esentire.com/security-advisories/increase-in-adversary-in-the-middle-phishing-attacks