Full Report
The threat actor gained access to Okta’s environment, and figured out that Okta was storing unsanitized HAR files (recordings of browser activity) that customers were sharing with the Okta support team to help with troubleshooting. These HAR files sometimes contained customer ...
Analysis Summary
# Incident Report: Okta Support System Supply Chain Attack
## Executive Summary
A threat actor gained unauthorized access to Okta’s support environment and discovered that sensitive, unsanitized HAR files were being stored. These files contained customer session tokens, which the attacker subsequently reused to access the environments of several different Okta customer organizations, resulting in a supply chain security incident.
## Incident Details
- Discovery Date: Not explicitly stated, but the public disclosure date indicates the period of discovery and vendor notification.
- Incident Date: Occurred prior to October 20, 2023.
- Affected Organization: Okta (Initial breach); multiple Okta customer organizations (Secondary impact).
- Sector: Technology/Identity Management (Okta); Various sectors (Affected Customers).
- Geography: Not specified.
## Timeline of Events
### Initial Access
- Date/Time: Prior to October 20, 2023.
- Vector: Compromise of an Okta system environment, specifically the support system hosting customer troubleshooting data.
- Details: The attacker gained access to the environment where un-sanitized HAR files were stored.
### Lateral Movement
- Details: The attacker leveraged information/credentials found within the HAR files (specifically session tokens) to pivot and gain unauthorized access into the environments of Okta's customers.
### Data Exfiltration/Impact
- Details: Session tokens and potentially other sensitive information contained within the HAR files appear to have been stolen and subsequently reused to access customer tenants, leading to a broad supply chain impact.
### Detection & Response
- Detection: Detection occurred when affected customer organizations became aware of the unauthorized access and subsequently made public statements.
- Response Actions: Okta initiated incident response procedures to investigate the scope of the support system breach and the downstream impact on customers.
## Attack Methodology
- Initial Access: Compromise of an internal Okta support system/environment.
- Persistence: Not detailed, but assumed attacker maintained access long enough to discover and exfiltrate the HAR files.
- Privilege Escalation: Not detailed in the provided text.
- Defense Evasion: Not detailed; implies the storage of sensitive data in a way that allowed easy subsequent access by the attacker.
- Credential Access: Direct access and exfiltration of **session tokens** stored within the unsanitized HAR files.
- Discovery: Internal reconnaissance within the support environment to identify data assets (HAR files).
- Lateral Movement: Replaying stolen session tokens to access customer tenants.
- Collection: Harvesting HAR files containing credentials/session identifiers.
- Exfiltration: Stealing the HAR files or the session tokens within them.
- Impact: Unauthorized access to multiple downstream customer environments.
## Impact Assessment
- Financial: Not available.
- Data Breach: Customer session tokens, and potentially other PII or sensitive troubleshooting data contained within HAR files. Direct impact on several downstream customer organizations.
- Operational: Disruption to customer operations due to unauthorized tenant access.
- Reputational: Significant reputational damage to Okta regarding internal data handling and supply chain security.
## Indicators of Compromise
- Network indicators: *Not specified/Defanged.*
- File indicators: Unsantized HAR files containing session tokens.
- Behavioral indicators: Replay of session tokens to access customer environments outside of normal user behavior.
## Response Actions
- Containment measures: Necessary steps would include invalidating compromised session tokens, securing the support environment, and notifying affected customers.
- Eradication steps: Thorough review and sanitization/removal of historical HAR files containing sensitive data.
- Recovery actions: Assisting all affected customers in auditing access logs and rotating credentials/secrets exposed via the breach.
## Lessons Learned
- The practice of storing unsanitized troubleshooting data (like full HAR files) in accessible environments poses a significant security risk, especially when that data contains active session tokens.
- Strong access controls and strict data minimization policies must be enforced during customer support processes.
## Recommendations
- Immediately cease the practice of storing unsanitized HAR files containing active session tokens. Implement automated tooling to strip sensitive PII and authentication credentials from troubleshooting data *before* storage.
- Conduct a comprehensive audit of all support and logging mechanisms to ensure sensitive data (tokens, secrets, passwords) is never logged or stored in plain text.
- Enhance internal monitoring/logging specifically targeting the use or replay of session tokens harvested from support systems.