News
Okta fell victim to breach and multiple customers impacted – Netwrix comments
October 2023 by Netwrix
Last Friday, identity and management company, Okta fell victim to a hacker who broke into the company’s support ticket system, stealing files that can be used to hack into the networks of their customers. Okta has approximately 18,000 customers and manages up to 50 billion users.
Tyler Reese*, Director of Product Management at Netwrix believes in order for customers to stay protected, they need to maximise their security defences:
“Since this attack grabbed sensitive tokens that Okta had in their possession from their support team, the only way that a customer can protect themselves is to have defensive measures as there is no reasonable ability to proactively invalidate these tokens from the customer’s side.
“The first set of defenses should include strong, hardware-based authentication for privileged accounts, and operating from a trusted system. In cases documented by both BeyondTrust and Cloudflare, they were using hardware FIDO2 tokens that allowed the security teams to rule out potential credential breaches.
“The second set of defenses should be robust auditing and detection of privileged accounts from the identity systems. It was mentioned in one of the reports that even with the use of FIDO2, the compromised token can still be used to execute privileged API calls. The attacker tried to create a privileged account disguised as a service account.
“Thanks to proper monitoring, this activity was timely detected, and the backdoor privileged accounts creation process was stopped. Afterward, such accounts could have been used once the stolen token had expired and wasn’t usable. To summarise, customers will need strong authentication defenses and proper auditing and detection for privileged changes to their Okta environment.
“With the supply chain attacks in general, the biggest challenge is unpredictability: once a provider has been breached, it is difficult to know where the attacker will move with their privilege. If they are a software provider, they may look to introduce vulnerabilities into the software. If they are a financial services provider, they could look to exfiltrate data for extortion. The best that organisations can do is to adopt the concepts of the zero-trust approach which encourages monitoring, zero standing privileges, and strong posturing and integrity of an organisation’s cyber assets.”
