Auth0

Auth0 Code Repository Archives From 2020 and Earlier

Notification of Auth0 Code Repository Archives Security Event - No Customer Action Required, Auth0 Fully Operational In alignment with our core value of transparency, we are communicating about a recent security event related to certain Auth0 archival code repositories; there is no impact to customer data. This does not impact any other Okta products. Read more

Brett Winterford

Phishing Resistance and Why it Matters

In the wake of recent security events at Uber and Twilio, organizations are understandably interested in pivoting to authenticators that offer the most resistance to phishing attacks. So what is phishing resistance, and why does it matter? Credential theft remains the primary means by which attackers gain unauthorized access to systems. In 2021, over 80 percent of successful attacks on web applications stemmed from credential-based attacks such as phishing, credential stuffing and password...

Defensive Cyber Operations

Detecting Scatter Swine: Insights into a Relentless Phishing Campaign

Summary Twilio recently identified unauthorized access to information related to 163 Twilio customers, including Okta. Access was gained to internal Twilio systems, where data of some Okta customers was accessible to a threat actor (detailed below). Okta has determined that a small number of 1) Mobile phone numbers and 2) Associated SMS messages containing one-time passwords (“OTPs”) were accessible to the threat actor via the Twilio console. Okta has notified any customers where a phone...

Moussa Diallo and Tim Peel and Brett Winterford

Defending against Session Hijacking

Multi-factor Authentication (MFA) is very effective at limiting what an adversary can do with a stolen password. According to research commissioned by Google in 2019, MFA thwarted 99% of automated credential-based attacks and 93% of phishing campaigns. It remains one of the most essential and effective controls against account takeovers. In some circumstances (outlined below), MFA can be bypassed. Okta’s Cyber Threat Research team has observed the proliferation of malware designed to extract...

James Brodsky

Unlocking the Mystery of 700+ Okta System Log Events

Update 06-21-2022: Eleven new System Log events have been added to the Github project to bring the total number of cataloged events to a lucky 777. When I started writing this post, there were 766 potential System Log types that can appear in System Log, the logging platform in every Okta administrative console. By the time I finished it, there were 768. Things move fast in the cloud. While the most important of these events are well documented already, the significance of others are only...

Steve Ripaldi

Okta's Response to CVE-2022-22965 ("Spring4Shell")

Last Updated: 3/4/2022 1.30pm Pacific Time Three critical vulnerabilities have been identified affecting the Java Spring Framework and related software components - with one specific CVE being known as Spring4Shell/SpringShell (CVE-2022-22965). CVE-2022-22965 : Within Spring Core, A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. Okta Security has triaged the Spring4Shell vulnerability, and determined Okta is not...

David Bradbury

Official Okta Statement on LAPSUS$ Claims

Last updated: 03/22/2022 12.00pm, Pacific Time Please note - Following this update all further information will be published at: https://www.okta.com/blog/2022/03/updated-okta-statement-on-lapsus/ The Okta service has not been breached and remains fully operational. There are no corrective actions that need to be taken by our customers. In January 2022, Okta detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider. As part...

Brett Winterford

Protection, without perimeters

Given the premise that “identity is the new perimeter”, we’re often asked about the role network attributes should play in restricting access to applications, servers and data. Can we, and should we, for example, deny access requests originating in high-risk countries or countries involved in conflict? The reality is that network context still matters. We can take into account the identity of the network and location our users are authenticating from. If a customer determines that there are no...

James Brodsky

Everything is Yes: Detecting and Preventing MFA Fatigue Attacks

UPDATE 17/04/23: Okta has published internal detection logic for abuse of Push notifications and shared these detections with security analytics partners. I’m the proud parent of 13-year-old fraternal twins. Most of the time they’re wonderful smaller humans, but sometimes they drive me bonkers with endless streams of rapid-fire, closed-ended questions. Here’s an example of a recent, pre-dinnertime question barrage: “Are you making pizza for dinner with your special dough? Did you get the...

Brett Winterford

We (still) need to talk about RDP

Quarter by quarter, for three years now, abuse of Remote Desktop Protocol (RDP) has been the most common root cause of all ransomware events. It’s no surprise why RDP makes for an attractive target: RDP is the primary vehicle for remote access to Windows servers and is used for administrative functions. It’s the most commonly listed method of remote access sold by initial access brokers. According to some 2019 research [pdf] by Sophos, an open RDP port gets its first connection request...