Okta Breach Part 2: Unveiling the Full Scope and Impact

Introduction

In late October, Okta, reported a cybersecurity breach that initially appeared to affect less than 1% of its customers. However, recent revelations indicate a far-reaching impact, affecting 99.6% of users in the customer support system. This blog post delves into the broader implications of this

The True Scope Revealed

Contrary to initial estimates downplaying, it has now been disclosed that hackers successfully ran a report on September 28, 2023. It contained sensitive information about all Okta customer support system users. The compromised data had names, email addresses, company names, contact phone numbers, and other details, Impacting 100% of Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers. The only exception being those in highly sensitive environments such as the government.

Financial Impact on Okta

Despite the significant dip in Okta’s stock prices when the breach was first reported in October, resulting in a temporary loss of approximately $2 billion in market capitalisation, the financial fallout seems to be hovering in the single digits. Okta’s latest quarterly financial report indicates a more than 20% increase in revenues for the quarter ending October 31, demonstrating a robust financial performance despite the security incident.

Customer Trust at Stake

The discrepancy between the initially reported 1% impact and the actual 99.6% of affected users reveals a concerning lapse in transparency. Okta customers are now grappling with the realization that threat actors may have access to their names and email addresses, exposing them to the risk of phishing and social engineering attacks. While Okta assures that there is no direct evidence of exploitation, they urge customers to remain vigilant. This stolen information could be weaponized for targeted cyber scams.

Phishing and Social Engineering Threat

With 99.6% of users having their names and email addresses exposed. These stolen data poses a heightened risk of phishing and social engineering attacks.

Okta Phishing

Cyber security experts emphasise the need for Okta customers, especially administrators, to enforce multi-factor authentication (MFA) and consider the use of phishing-resistant authentication. The potential for threat actors to exploit this information for targeted attacks underscores the importance of proactive security measures on the customer’s end.

Conclusion

In the aftermath of the Okta breach, customer trust in identity management systems faces a critical test. As emphasised by the mantra “The ‘S’ in IAM stands for Security”, the true scale of the incident challenges the reliance on auto-saved passwords, demonstrating the vulnerability of conventional systems. We urgently advocate for the adoption of passwordless authentication. For those catching up, our previous post details the Okta breach, highlighting the imperative to . #gopasswordless . This approach not only addresses current vulnerabilities but also aligns with the evolving demands of a secure digital landscape.

Unpacking Okta’s Recent Security Breach

Introduction

In today’s interconnected world, data breaches have become unfortunately common. One recent incident that has drawn the cybersecurity community’s attention involves Okta, a prominent identity and access management (IAM) provider. This blog post delves into the specifics of the Okta breach, its impact, and the lessons we can learn.

The Initial Okta Breach

The story starts with a breach of Okta’s case management system, reported in late October. Threat actors gained unauthorised access to sensitive files of 134 Okta customers, less than 1% of the customer base. Some stolen files were HTTP Archive (HAR) files with session tokens, usable in session hijacking attacks.

Targets: BeyondTrust, Cloudflare, and 1Password

BeyondTrust, Cloudflare, and 1Password confirmed their systems were targeted due to this breach. They emphasised no loss of customer data during these incidents, highlighting their robust security measures.

Okta’s Response and Investigation

David Bradbury, Okta’s Chief Security Officer, revealed the breach’s origin. An employee logged into their personal Google account on an Okta-managed laptop, inadvertently saving service account credentials. The hackers exploited this service account, gaining permissions to view and update support cases. The breach occurred from September 28 to October 17, 2023.

Investigation Challenges

Okta’s security team initially focused on unauthorized access to support cases. Identifying suspicious downloads took 14 days. Unique log event types and IDs complicated the detection process.

On October 13, BeyondTrust provided a suspicious IP address, leading to the identification of the compromised account’s activities.

Implications and Ongoing Concerns

The breach raises numerous cybersecurity concerns. Callie Guenther, Senior Manager of Cyber Threat Research at Critical Start, highlighted the potential for secondary attacks arising from exposed data. Such incidents erode trust in service providers, especially for security-focused companies like Okta.

John Bambenek, Principal Threat Hunter at Netenrich, pointed out that recurring security events raise questions about Okta’s reliability in sensitive roles like identity and authentication.

Conclusion: The Vital Role of Passwordless Authentication

The Okta breach underscores the importance of robust cybersecurity practices. Organisations must remain vigilant, conducting continuous security assessments and proactively implementing measures against evolving threats.

A single compromised password can jeopardize an entire institution. Therefore, we strongly advocate for passwordless authentication. By eliminating passwords, organizations can fortify their defenses, enhancing security and reducing the risk of future incidents. Passwordless authentication is a safer and more effective approach to protecting digital identities in today’s evolving landscape. #gopasswordless

Slack’s GitHub Exposed – Another MFA Failure

Slack reported suspicious activity on January 9th, 2023 regarding a breach in it’s remotely stored GitHub account. Upon investigation, it was found that tokens of a few Slack employees were stolen, and used to gain access to remote git repositories. The threat actors also downloaded code from private repository. Slack also stated that the threat resulted from a third party vendor, and also assured its users that no customer data is at risk.

Previous Incidents

In March 2015, Slack shared that it had been hacked for over four days in Feb 2015. Additionally, In January 2021, it had a outage for several hours. In a previous blog , we have discussed a past security bug on Slack at December 2022 where passwords were stored in their Android apps in plain text.

Reason and Impact

The attackers were able to gain access due to a security flaw in Slack’s authentication system using Brute Force. Once they had access, they were able to steal the secret seeds (used to generate pseudo random tokens) associated with that organisation’s account and gain access to the private code repositories stored on GitHub. The fact that a brute force attack was successful indicates a security lapse from Slack.

The company claims that the threat actors did not get access to production environment, customer data or Slack resources. Additionally, Slack rotated the concerning tokens with the third vendors, and deployed additional security on their externally hosted GitHub.

About MFA Tokens

In their update what Slack is mentioning as token are MFA seeds or secret keys. These seeds or keys are shared secret between the (Slack’s) server and user’s MFA application. These seeds are used in generation of tokens which are then used to authenticate user in conjunction with passwords.

image credit – Twilio

Twilio has provided here a detailed explanation on how the MFA works with secret keys. Unfortunately Twilio’s Authy was breached and customer’s TOTP secret keys were leaked in the recent past.

Mitigation

Authentication system depending on abusable data like Passwords, Biometrics, or TOTP/HOTP Tokens, of public-keys are insecure by design. Adopting authentication solution which makes use of zero-knowledge factors are resilient to data leakage in case of breach.

PureID‘s Passwordless Authentication platform – PureAUTH eliminates the risk in case of total breach of the authentication parameters it uses to verify users.

Check out, how PureAUTH makes Slack Passwordless and secure from credential based attacks.

Connect with us to know how PureAUTH platform can help your enterprise be more secure and resilient.

Password Managers are the Hot Targets 

Lastpass reported a security breach a month ago, which is the 8th security incident in the last 11 years. This incident was followed by a recent disclosure by a Google researcher. Many popular password managers like Dashlane, Bitwarden, and Safari can be phished.

There are many lessons that we all need to learn from these recurring incidents. This post is to uncover few points that we have seen have not been discussed by the info-sec community and the industry.

The Catch-22 – Phish or no Phish?

LastPass warned its users of an increased likelihood of Phishing attacks, Credential Stuffing, or other brute force attacks against online accounts associated with their LastPass vault.

Password Managers getting phished is an alarming situation

This statement goes against what all the password managers like LastPass claims – “use of password manager protects users from phishing attacks“.

In recent times there have been more incidents where password managers have been proved vulnerable to phishing attacks. You can find more details in this article Popular password managers auto-filled credentials on untrusted websites 

The Impact

In their blog post, Lastpass reported that customer’s personal information like email, phone number, billing address, IP address have been compromised. That is not all, what LastPass has not talked about is the additional information they collect from their users using their mobile app. 

The screenshots below show the permissions that Lastpass app takes on a user’s phone.

Permission take by LastPass app on an Android device

These permissions enable the application provider like LastPass (other password managers take similar types of permission on user’s device) to collect more information about the user than probably needed. 

User Information collected by LastPass app

In case of a breach, like what happened with LastPass, the severity of the incident and privacy impatc will be more if any additional information collected from the user’s phone is also leaked.

The Passwords

Furthermore, LastPass has reported that customer’s vault containing clear text data, such as website url, and encrypted data of username and password were also obtained by the threat actors. 

Lastpass emphasised on the use of master key, and how a threat actor can not decrypt the password vault even if they have the encrypted data, as the master key, which is a master password set by the user and is not stored on lastpass network. 

While 1Password, a rival firm of Lastpass, claims through their blog that passwords of LastPass can be cracked in $100. They also talk about their superior method of  using secret key and Password Authenticated Key Agreement systems, which makes 1Password’s systems next to impossible to crack. 

With the device specific keys mentioned by 1Password, we feel syncing of the passwords across multiple devices becomes a risky affair. Since passwords need to be decrypted on another device and it needs the user chosen master password as well as the secret key from the earlier device. This problem cannot be solved without exposing the secret key or the user’s passwords (encrypted just with the user chosen master password), in transit. 

Conclusion

After a series of events involving Password Management products, enterprise must seriously think about how safe their user’s data and passwords really are. 

Not to forget, server doesn’t care if the password is coming from a password vault or from an adversary, the server will authenticate as long as it can match the string. So no matter, how and where you store passwords, as long as there as passwords, Enterprises are always at risk.

For a better security, Enterprise must plan to remove passwords from their applications, servers and #GoPasswordless

Fortinet leaked credentials to fuel more Breaches

Overview

In our previous research blog Passwords & MFA Melting VPNS we had explained how vulnerabilities in Fortinet VPN are being exploited to harvest user credentials and bypass MFA implementations. 

The latest update from The Hacker News – 500K FortiGate VPN user credentials are available for free. Many instances of Fortinet VPN whose credentials are out there are not secure even if they have implemented MFA but not patched for CVE-2020-12812.

Self-Propelling Cycle of leaked passwords & breaches

Self-Propelling cycle between leaked passwords & breaches

Old unpatched vulnerabilities of FortiGate SSL-VPN CVE-2018-13379 & CVE-2019-5591 are widely exploited to gain VPN credentials. These stolen Passwords are then shared on the dark web to fuel new breaches. This puts Fortinet in a self-propelling cycle of Passwords leaks & Breaches. 

The Incident

Fortinet through its PSIRT Blog has reported – Malicious Actor Discloses FortiGate SSL-VPN Credentials. Cybercriminals group “Orange” publicly leaked around 500K usernames and passwords of the Fortinet’s FortiGate SSL-VPN users from as many as 74 different countries. 

Worldwide estimated number of affected FortiGate VPNS is approximately 87,000 out of which India has the largest share of leaked credentials (11%) followed by Taiwan (8.45%), Italy (7.96) and then France (6.15%). 

Source : The Hacker News

What Enterprises can do?

Passwords are at the root of this unfortunate cycle. As long as enterprise applications & systems are using passwords to authenticate the enterprises will continue to be stuck in this cycle. 

The best solution is to #GoPasswordless with PureAUTH, which provides you with the most resilient yet convenient way to authenticate to FortiGate & other modern VPN’s and keep your enterprise unaffected even in the face of the worst possible credential breach.

Kaseya Supply Chain Attack & Passwords

The world was recovering from the jolt of Solarwinds, and we have this… face off with another supply chain attack shaking the world. This time it is Kaseya.

About Kaseya

Kaseya provides unified IT management softwares used by IT teams and Managed service providers (MSPs). VSA is their popular remote monitoring and endpoint management product which sits deep inside clients’ networks and has access + high privileges to almost all of enterprise assets.

What happened at Kaseya?

On 2 July 2021, Kaseya published a notification advising its customers and MSPs  to disable their on-premise Kaseya VSA servers immediately.

Also they announced that Kaseya had become the victim of a cyberattack & many of its customers & MSPs were affected by ransomware attack which exploited a 0 day vulnerability in VSA software.

Incident details

Very limited information of the attack & the 0-day vulnerability is out at this point in time, but many security companies studying the matter closely mentioned with high confidence that the attack was triggered via an authentication bypass vulnerability in the Kaseya VSA web interface.

This is corroborated by the CVE-2021-30116 disclosed by Kasea. The CVE is about credentials leak and business logic flaw for which the resolution was in progress, hence the details were withheld.

In its limited disclosure blog post Kaseya team published the following 7 sets of CVE.

  • CVE-2021-30116 – A credentials leak and business logic flaw, resolution in progress.
  • CVE-2021-30117 – An SQL injection vulnerability, resolved in May 8th patch.
  • CVE-2021-30118 – A Remote Code Execution vulnerability, resolved in April 10th patch. (v9.5.6)
  • CVE-2021-30119 – A Cross Site Scripting vulnerability, resolution in progress.
  • CVE-2021-30120 – 2FA bypass, resolution in progress.
  • CVE-2021-30121 – A Local File Inclusion vulnerability, resolved in May 8th patch.
  • CVE-2021-30201 – A XML External Entity vulnerability, resolved in May 8th patch.

Notable points

Out of the above listed 7 CVE’s  the 2 CVE-2021-30116 & CVE-2021-30120 are noteworthy, since they directly relate to authentication and bypassing the access controls.

We have seen such incidents with various VPN servers in the past, where attackers used vulnerabilities like CVE-2021-30116 to leak the system credentials. Leaked credentials were then stuffed to VPNs to gain unauthorized access.

The resistance posed by 2FA/MFA vanishes if you have vulnerabilities like CVE-2021-30120.
PureID has been consistently advising about the risk of having credentials on the server and its leakage due to various flaws or operational gaps. There has been drastic increase in 2FA/MFA bypassing attacks, which puts enterprises at grave a risk, as mentioned in Auth0 report

Conclusion

Just like previous high profile attacks like Solarwinds & Colonial Pipeline, we have another incident which involves Passwords & we have clearly seen that 2FA/MFA can be bypassed. 

No doubt we will continue to see more such attacks as long as business applications continue to use risky passwords and bypassable 2FA/MFAs.

Going passwordless can drastically reduce enterprise attack surface and makes systems more resilient.

Android FluBot Malware – spreading rapidly across Europe, might target the US!

FluBot is a banking malware that is specifically attacking Android phones and stealing bank details and passwords from your device. Like Covid-19, this malware has spread across a wide range of English speaking countries rapidly causing some irreparable damage. 

FluBot uses “smishing” – phishing using SMS and text messages. These attacks have seen a huge rise in the recent past. 

The Impact of the Attack 

Originated in Spain, then spread to Germany, Hungary, Italy, Poland and UK,  the malware is believed to have made over 7,000 victims in the UK alone, where the campaign operators were using more than 700 unique domains for the distribution of FluBot. 

Proofpoint says that U.S. users have already started receiving German and English-language phishing SMS messages, suggesting that the threat actor is getting ready to expand to this country. The pattern is similar to how the attacks started in the UK, where users first received German messages and then English ones.

Infection Stages

Smishing 

Here, an SMS with a malicious link is sent to the user disguising as famous delivery service organisations such as DHL & FedEx, on an hourly basis.

The malware requires user interaction to get access to the Android device. 

Reference:  https://tinyurl.com/2vctczzy

On clicking the link you’re redirected to a fake website, where you have to download an APK. 

Permission Acquisition

During the installation of this fake app, a misleading prompt appears asking for full access to SMS and networking, address book including device management.

The Attack

The malware after acquiring complete permissions carries out the malicious activity which includes and is not limited to

  1. Reading and forwarding sensitive SMS/OTPs
  2. Screen overlays on net banking apps to capture the passwords entered by the user
  3. Intercepting incoming messages and notifications, 
  4. Opening webpages.
  5. Disabling Google Play Protect. 
  6. It also can uninstall other applications. 
  7. It will also access contact details and send out additional text messages, spreading the spyware further.
Reference: https://tinyurl.com/2vctczzy

Protection & Precaution 

The National Cyber Security Centre (NCSC) warns users about this malware and its methodology, where you are obligated to download a tracking app because of a missed package.  It recommends Android users to practice following precautions 

  1. Do not click on links in unsolicited messages.
  2. Do not download APK from any website, other than Google Play Store.
  3. Do not give unnecessary permissions while installing an APK downloaded from a reliable source.
  4. Scan your Android device frequently with a legitimate anti-malware application.
  5. Never store passwords or banking information locally on your Android device.
  6. If you have used a phone for internet banking, double-check your account with the bank and report any fraudulent activity immediately.

As long as systems are using passwords, adversaries will find various ways and tools to steal them. We highly recommend that enterprises adopt passwordless authentication for critical services.

References:

https://www.ncsc.gov.uk/guidance/flubot-guidance-for-text-message-scam

https://blog.f-secure.com/flubot-android-malware/

https://www.91mobiles.com/hub/flubot-malware-android-phone-steals-netbanking-passwords/

Credential stuffing Attacks on VPN: Serious Risk for Enterprise

Virtual Private Networks (VPNs) systems are widely used by enterprises to provide secure remote access to their employees. VPN allows for easy access to the infrastructure, but it also opens up the corporate network to the internet.

All VPNs use password-based authentication which is susceptible to various types of attacks. Many enterprises use 2FA to mitigate such risks. However, attackers can steal the keys and even 2FA may not be enough. Once the attackers are on the network, they have unrestricted liberty of action or decision: MITM attacks, Credential stuffing, and other attacks become viable.

In recent times of the pandemic, where work-from-home is the new normal, VPN hacks have become a headache for many companies’ security teams with severe consequences if they are successful.

Virtual private networks, No Longer Private

The point of a Virtual Private Network is to enjoy the encryption and security of local networks while not being at a remote location, through an encrypted tunnel, keeping intruders out. The point of VPNs becomes moot if the people you want to hide your data & resources from can actually access them by being in the tunnel with you.

Close to a thousand VPN servers were compromised and the credentials of users and admin accounts stolen by attackers. This allows anyone to login into these networks until these credentials are revoked.

While all the limelight is being captured by ransomware attacks these days, VPN hacks have been hitting headlines for a decade now. Data was stolen from Lockheed Martin in 2011, after the attackers gained network access through their VPN, using leaked SecureID tokens from RSA is one of many stories, we haven’t learned much from.

Another bone-chilling story; The attack on Ukraine’s Ivano-Frankivsk region was carried out by getting on the VPN network electrical infrastructure by using stolen credentials. This left half of the region without electricity for several hours.

Affected EntityRoot CauseImpact
Avast AntivirusStolen credentialsAdversaries modified the CCleaner distributed by Avast .
Lockheed MartinCVE-2011-0609Critical data related to the defence contracts leaked.
Pulse SecureCVE-2019-115101000 enterprises are at risk of ransomware attacks.
Ukraine Power gridMalwarePower grid taken offline leading to no electricity for thousands.
List of the most serious VPN attacks due to stolen credentials

Secure Authentication for VPNs

Learning from the above incidents; stolen credentials are a serious risk even for VPN and 2FA is not helping. Its also evident, in case a CVE is out there for your VPN, you should not avoid the patch but you can avoid passwords with much more ease and convenience. Going passwordless is a very effective way to provide secure & resilient authentication to VPNs.

Check out how Ajit accesses our Palo Alto GlobalProtect without passwords.

Our PureAUTH passwordless authentication platform integrates with all leading VPN solutions including Pulse Secure, Fortinet & Cisco AnyConnect. To know more you can get in touch with our team.

Ever increasing Office365 Credential Phishing Campaigns

In the advent of widespread electronic communication we relied on a password for verifying the identity of a person. As it turns out, passwords are not secure enough to trust most information with. Two Factor Authentication to the rescue! right? Well, it’s not so easy.

As systems have become secure, the attackers have shifted their focus on capitalizing on the weakest link – Humans. While 2FA has somewhat solved the problem of people using ‘password’ or ‘1234’ as their passwords, it cannot fix the inherent problem with humans. We make decisions based on our knowledge which is flawed most of times. Attackers take advantage of this to carry out social engineering attacks such as phishing.

Risk of Phishing attacks

Verizon Data Breach Investigation Report 2019 observed Phishing was used in 32% of confirmed breaches, and also 78% of cyber-espionage cases. Additionally, VDBIR also states that 29% breaches involved the use of stolen credentials which again is commonly accomplished through phishing attacks.

Due to the large number of successful phishing attacks, VDBIR mentions it as a #1 Threat Action

Phishing attacks on Office 365

As such, there have been multiple attacks against Microsoft’s Office 365 platform which hosts productivity apps and documents, very important to businesses.

This phishing campaign uses Google’s Ads services to get around secure email gateways. Here you can see how blindly trusting anyone, even Google, can backfire.

Zoom Phishing mail
(source: Abnormal Security)

Office 365 Phishing page
(source: Abnormal Security)

With the popularity of Zoom skyrocketing, the attackers have been bandwagoning onto the new attack vector to target Office 365 logins. The trick they used is to rush the users by making them believe that their Zoom account might get suspended. Oh! The horror of not attending a meeting!

They have also used fake Teams alert, Relief payments, VPN configs to try to get your Office logins. Looks like they desperately want your office 365 credentials.

All the more reason to protect yourself against such attacks.

Effective Mitigation for Phishing: Go Passwordless

When all the training campaigns are failing & URL checking anti phishing measures are proving to be far more intrusive, you can effectively mitigate the risk of Phishing by going Passwordless. 

With PureAuth passwordless authentication, you can effectively mitigate the risk of having your password stolen by phishing and a number of other methods. 

Try out PureAUTH, which offers passwordless secure access to not just Office 365 but many other services like AWS, GCP, G-Suite, Microsoft Azure and others.

Protection Against Credential Stealing Mobile Apps

In the recent news by TechSpot.com we have learnt that Google was ‘forced’ again, this time by Evina Research group, to remove 25 credential stealing apps from its Android play store with 2.34 Million combined installations.

Out of the 25 listed applications, PureID Security Team analysed few, to learn modus-operandi of these apps.

Abstract of Technical Analysis

App Chosen : Super Wallpapers Flashlight
Purpose : Offers fancy wallpapers and flashlight like utility
Permission : extensive permissions that gives the app more control on a device than needed
Malicious Behaviour : In-mobile phishing

Other Comments : The most popular application among the 25 apps removed by google

Analysis Details

Step 1 : Gathering Permission

The app on installation collects (2) additional permission to access storage and ability to take pictures and record video which normally are not needed for normal functioning of such apps.

More permissions

Step 2 : Intercepting Facebook app invoke

Whenever a user launches the facebook app, Super Wallpaper Flashlight app detects it and launches http://m.facebook.com in a webview, thus making the user think facebook app needs credentials.

hxxp://m.facebook.com being rendered in webview with malicious javascript

Step 3 : Credential harvesting

Once a user presents credentials to the facebook login page in the webview, Super Wallpaper Flashlight app uses malicious javascript to harvest those credentials. 

elements of malicious javascript
credentials collected at getLoginOne()
credentials in WebFBUtils

Step 4: Credentials exfiltration

Here is the code snippet to exfiltrate the harvested credentials to the hxxp://offer.airshop.pw site, which is an active website with mandarin characters indicating it as a Chinese website.

Exfiltration of credentials harvested in WebFBUtils with a post request to airshop.pw

Step 5 : Quick analysis of  airshop.pw

The last our team checked the website, it was still active and 2 engines at virustotal flags it as a (malicious/benign) website.

virustotal report
Virustotal report of hxxp://offer.airshop.pw

Why is this case interesting?

Assuming the cost and efforts of setting up + distribution of in-mobile phishing apps versus web based phishing kits are similar, the in-mobile phishing attacks have higher success rates according to this decade old study and it still holds true. This effectiveness makes In-mobile phishing attacks more lucrative for attackers. 

Just like Facebook, we will be seeing credentials of Gmail, mobile-banking and other important applications being targeted.

Protection against credential stealing apps

Enterprises spend a significant amount of money, time and resources to train their employees to prevent phishing attacks. All the training modules focus on desktop/browser based phishing sites. Detecting in-mobile phishing attacks is very difficult even for a well trained person.

Going passwordless proves to be an effective solution in such cases, where user never needs to present any credentials to access enterprise services.

A word of caution here; choosing right type of passwordless solution becomes important as most of the passwordless solutions are designed to make desktop based applications passwordless and not mobile based apps.

Here is a simple demo of how PureAUTH makes GMail application passwordless.

Conclusion

In-mobile phishing attacks are getting mainstream. Going Passwordless is the best strategy to protect enterprise users from phishing attacks. PureAUTH covers you comprehensively on every surface and all devices.