David Bradbury

Okta October 2023 Security Incident Investigation Closure

Related Posts: Recommended Actions - Nov 29, 2023 / Root Cause Analysis [RCA] - Nov 3, 2023 / Security Incident - Oct 20, 2023 Stroz Friedberg, a leading cybersecurity forensics firm engaged by Okta, has concluded its independent investigation of the October 2023 security incident. The conclusions of Okta’s investigation have not changed, and Stroz Friedberg has confirmed there is no evidence of further malicious activity beyond what was previously determined by Okta. The October 2023 security...

David Bradbury

October Customer Support Security Incident - Update and Recommended Actions

Related Posts: Root Cause Analysis [RCA] - Nov 3, 2023 / Security Incident - Oct 20, 2023 In the wake of the security incident Okta disclosed in October 2023 affecting our customer support management system (also known as the Okta Help Center), Okta Security has continued to review our initial analysis shared on November 3, re-examining the actions that the threat actor performed. This included manually recreating reports the threat actor ran in the system and the files the threat actor...

David Bradbury

Unauthorized Access to Okta's Support Case Management System: Root Cause and Remediation

Executive Summary We offer our apologies to those affected customers, and more broadly to all our customers that trust Okta as their identity provider. We are deeply committed to providing up-to-date information to all our customers. On Thursday, October 19, Okta advised customers of a security incident. Having finalized our investigation, we can confirm that from September 28, 2023 to October 17, 2023, a threat actor gained unauthorized access to files inside Okta’s customer support system...

David Bradbury

Tracking Unauthorized Access to Okta's Support System

Okta Security has identified adversarial activity that leveraged access to a stolen credential to access Okta's support case management system. The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases. It should be noted that the Okta support case management system is separate from the production Okta service, which is fully operational and has not been impacted. In addition, the Auth0/CIC case management system is not impacted by this...

Brett Winterford

Go “Secure by Default” With Custom Admin Roles for IT support staff

The Takeaway: Creating custom roles for your help desk staff supports a “least privilege” approach. In late August, Okta’s Defensive Cyber Operations team outlined a social engineering campaign in which a target’s IT support staff - that is, the team responsible for common help desk tasks, were tricked into resetting the authenticators of users with the most privileged roles in an organization.  One of the many recommendations made in response to this event was to constrain the permissions of...

Defensive Cyber Operations

Cross-Tenant Impersonation: Prevention and Detection

Summary Okta has observed attacks in which a threat actor used social engineering to attain a highly privileged role in an Okta customer Organization (tenant). When successful, the threat actor demonstrated novel methods of lateral movement and defense evasion. These methods are preventable and present several detection opportunities for defenders. In recent weeks, multiple US-based Okta customers have reported a consistent pattern of social engineering attacks against their IT service desk...

Ben King

BYO Telephony and the future of SMS at Okta

SMS has long played an important role as a universally applicable method of verifying a user’s identity via one-time passcodes. And over the last decade, SMS and voice-based Multi-factor Authentication has prevented untold attempts to compromise user accounts.  But it’s time to move on.  As of this month, any new Okta customer choosing to authenticate users (via the Workforce Identity Cloud) via SMS or voice will need to configure their own Telephony provider, just as they would any other...

Laremy Legel

Saying “No Thanks” to nOAuth

You may have heard about a vulnerability called, “nOAuth”, where, per Microsoft, “use of the email claim from access tokens for authorization can lead to an escalation of privilege.” What is this vulnerability, how can Okta help, and what are the mitigation steps and strategies to keep your own environment nOAuth free? Let’s break it down! What is nOAuth? Discovered in April of 2023, by researchers at descope, the nOAuth vulnerability relies on user accounts being merged by an Microsoft Azure...

Defensive Cyber Operations

Telling More Okta Detection Stories with Google Chronicle

Robust protection comes from layers, and many of you are already familiar with the Swiss Cheese Model. Simply stated, even when you're confident in your primary controls, that confidence only grows with each additional layer added. Because who wants to have a defense that’s built around a single slice of sad cheese, wrapped in a pitiful film of plastic? No thanks, we’ll take that sturdy block of Swiss each and every time.  Of course, given how thin most security teams are spread, robust...

Defensive Cyber Operations and Brett Winterford

An Unexpected Endorsement for WebAuthn

Okta Security endorses phishing resistant authentication at every opportunity. We’ve long argued enrolling users in Okta FastPass, FIDO2 WebAuthn authenticators or Smart Cards, and enforcing phishing resistant authentication flows will: Protect users against real-time phishing proxies and other forms of session hijacking. Solve for far more attacks than simply adding Number Challenge to Push notifications to defeat MFA Fatigue. Offer detection opportunities via System Log and the automation...

Page 1 of 9