Domino Effect Because of Okta
1Password, a widely used password management platform, experienced a security breach on September 29, 2023, when hackers accessed its Okta ID management tenant. This breach was tied to an incident where Okta’s support case system was compromised by threat actors using stolen credentials. These actors utilized the access to procure HTTP Archive (HAR) files from Okta’s customers. HAR files can contain sensitive data, notably authentication cookies and session tokens, which can be used for impersonation.
1Password’s specific breach was due to a compromised session cookie from an IT employee’s HAR file, which was given to Okta for assistance. Subsequent to this access, the attackers undertook a series of unauthorized actions. The breach was flagged by 1Password when an IT team member received a dubious email. Although there was a security breach, 1Password assured that no user data was compromised.
Cloudflare detected malicious activities on their system on October 18th, only two days before Okta revealed the incident. In Cloudflare’s situation, the attackers exploited an authentication token pilfered from Okta’s support mechanism to infiltrate Cloudflare’s Okta instance and obtain administrative rights.
While 1Password has since initiated several protective actions, like modifying its Okta configurations and updating the compromised IT employee’s credentials, there’s a noted discrepancy between 1Password and Okta regarding the chronological sequence of events.
According to TechCrunch, about 1% of its 17,000 corporate customers of Okta — or 170 organizations — were affected by its breach.Here are IoCs from Okta’s official blog post.
IP Addresses
23[.]105.182.19
104[.]251.211.122
202[.]59.10.100
162[.]210.194.35 (BROWSEC VPN)
198[.]16.66.124 (BROWSEC VPN)
198[.]16.66.156 (BROWSEC VPN)
198[.]16.70.28 (BROWSEC VPN)
198[.]16.74.203 (BROWSEC VPN)
198[.]16.74.204 (BROWSEC VPN)
198[.]16.74.205 (BROWSEC VPN)
198[.]98.49.203 (BROWSEC VPN)
2[.]56.164.52 (NEXUS PROXY)
207[.]244.71.82 (BROWSEC VPN)
207[.]244.71.84 (BROWSEC VPN)
207[.]244.89.161 (BROWSEC VPN)
207[.]244.89.162 (BROWSEC VPN)
23[.]106.249.52 (BROWSEC VPN)
23[.]106.56.11 (BROWSEC VPN)
23[.]106.56.21 (BROWSEC VPN)
23[.]106.56.36 (BROWSEC VPN)
23[.]106.56.37 (BROWSEC VPN)
23[.]106.56.38 (BROWSEC VPN)
23[.]106.56.54 (BROWSEC VPN)
User-Agents
Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36 (Legitimate, but older user-agent)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.83 Safari/537.36 (Legitimate, but older user-agent)