A ttention employers! Last week, Okta identity and access management (IAM) service identified adversarial activity that leveraged a stolen credential to access the support case management system. The threat actor was able to view sensitive HTTP Archive (HAR) files uploaded by a limited number of Okta customers as part of recent support cases.

Multi-factor authentication (MFA) continues to be targeted by threat actors. Last month, Okta revealed social engineering campaigns targeting US-based Okta customer organizations’ IT service desk personnel in attempts to reset MFA for high-privilege users. The threat actor leveraged the compromised Okta Super Admin accounts to abuse legitimate identity features to impersonate users within the compromised organization. Impacted organizations include
MGM and Caesar’s Palace, ultimately affecting millions of patrons worldwide due to subsequent ransomware attacks. The NJCCIC reminds organizations to implement a defense-in-depth approach using multiple layered security and identity management controls to limit a single point of failure that may result in a successful cyberattack. Additionally, users are advised to review and sanitize HAR files prior to sharing or adding to a repository. Further details and indicators of compromise (IOCs) can be found in the Okta article, the BeyondSecurity blog post, and the KrebsonSecurity blog post.

The Lessons:

• Defense-in-depth is crucial: No single security measure is foolproof. Employ multiple layers of security and identity management controls to prevent breaches.
• MFA must be strong: Use MFA beyond traditional phone calls or SMS. Hardware tokens or authenticator apps are more secure options.
• Scrutinize shared data: Before sharing sensitive information like HAR files, review and sanitize them to remove any potential security risks.
• Stay vigilant and informed: Regularly update security systems and educate employees about cyber threats and best practices.