Tracking Unauthorized Access to Okta's Support System

Cyber Security Threat Summary:
In a recent statement from Okta Security, they've reported the discovery of malicious activity involving the unauthorized use of a stolen credential to access Okta's support case management system. The threat actor was able to access files uploaded by specific Okta customers as part of recent support cases. It's essential to clarify that the support case system operates independently of the primary Okta service, which remains fully functional and unaffected. Notably, the Auth0/CIC case management system has not been impacted by this incident.

Okta has taken prompt action by notifying all customers affected by this event. For Okta customers who haven't received any additional messages or communication, it's reassuring to know that their Okta environment and support tickets remain unaffected.

As part of their regular business operations, Okta's support team may request customers to provide an HTTP Archive (HAR) file, which is instrumental for troubleshooting by replicating browser activities. These HAR files can potentially contain sensitive data, including cookies and session tokens, which could be exploited by malicious actors for impersonation.

Security Officer Comments:
Incidents like this emphasize the importance of continuous vigilance and the need to stay alert for suspicious activities. Okta has shared Indicators of Compromise to support customers in conducting their own threat hunting. They also suggest referring to previously published guidance on searching the System Log for signs of suspicious sessions, users, or IP addresses. Please be aware that most of the indicators are associated with commercial VPN nodes based on available enrichment information.

Suggested Correction(s):
Okta has collaborated closely with their affected customers to investigate the matter thoroughly and has put in place protective measures. These measures include the revocation of embedded session tokens. Okta also off