Tracking Unauthorized Access to Okta's Support System
Okta Security has identified adversarial activity that leveraged access to a stolen credential to access Okta's support case management system.
The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases. It should be noted that the Okta support case management system is separate from the production Okta service, which is fully operational and has not been impacted. In addition, the Auth0/CIC case management system is not impacted by this incident.
Note: All customers who were impacted by this have been notified. If you’re an Okta customer and you have not been contacted with another message or method, there is no impact to your Okta environment or your support tickets.
Within the course of normal business, Okta support will ask customers to upload an HTTP Archive (HAR) file, which allows for troubleshooting of issues by replicating browser activity. HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users. Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens. In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it.
Attacks such as this highlight the importance of remaining vigilant and being on the lookout for suspicious activity. We are sharing the following Indicators of Compromise to assist customers who wish to perform their own threat hunting activity. We recommend referring to our previously published advice on how to search System Log for any given suspicious session, user or IP. Please note that the majority of the indicators are commercial VPN nodes according to our enrichment information.
220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 (BROWSEC VPN) 188.8.131.52 (BROWSEC VPN) 184.108.40.206 (BROWSEC VPN) 220.127.116.11 (BROWSEC VPN) 18.104.22.168 (BROWSEC VPN) 22.214.171.124 (BROWSEC VPN) 126.96.36.199 (BROWSEC VPN) 188.8.131.52 (BROWSEC VPN) 184.108.40.206 (NEXUS PROXY) 220.127.116.11 (BROWSEC VPN) 18.104.22.168 (BROWSEC VPN) 22.214.171.124 (BROWSEC VPN) 126.96.36.199 (BROWSEC VPN) 188.8.131.52 (BROWSEC VPN) 184.108.40.206 (BROWSEC VPN) 220.127.116.11 (BROWSEC VPN) 18.104.22.168 (BROWSEC VPN) 22.214.171.124 (BROWSEC VPN) 126.96.36.199 (BROWSEC VPN) 188.8.131.52 (BROWSEC VPN)
While the following user-agents are legitimate, they may be rare in your environment given the release of Chrome 99 in March 2022.
Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36 (Legitimate, but older user-agent)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.83 Safari/537.36 (Legitimate, but older user-agent)