November 29, 2023 at 01:54AM
Okta disclosed further activity related to their October 2023 breach, revealing that names and emails of customer support system users were downloaded. Affecting most customers except those using separate support systems, Okta took precautionary steps and is aiding an investigation by digital forensics. The attacker’s identity is unknown, but Scattered Spider is one possible suspect.
Meeting Takeaways:
1. **Breach Disclosure**: Okta has announced that it detected additional threat actor activity related to the October 2023 breach of its support case management system.
2. **Data Affected**: The attacker downloaded names and email addresses of all users of Okta’s customer support system.
3. **Customers Impacted**: All users of Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) are affected, with the exception of FedRamp High and DoD IL4 environment customers. The Auth0/CIC support case management system was not compromised.
4. **Breach Reporting**: The expanded scope of the breach was first reported by Bloomberg.
5. **Preventive Measures**: Okta has not found evidence of the information being misused but has notified customers of potential phishing and engineered attacks. It has introduced new security features and provided customers with defensive recommendations.
6. **Investigative Actions**: Okta has engaged a digital forensics firm for the investigation and will also notify individuals whose information was downloaded.
7. **Initial Breach Details**: The initial breach, happening between September 28 to October 17, 2023, was said to affect 1% (134) of Okta’s 18,400 customers.
8. **Threat Actor Profile**: The identity of the attackers remains unknown, but Scattered Spider, a notorious cybercrime group, has targeted Okta as recently as August 2023. They are known for social engineering to gain administrator permissions and affiliate with the BlackCat ransomware operation.
9. **Scattered Spider’s Methodology**: Scattered Spider has the capability to swiftly infiltrate cloud and on-premises environments to deploy ransomware, and they recently infiltrated a company via an IT administrator’s account through Okta SSO, moving to on-premises assets in under an hour.
10. **Expert Insight**: ReliaQuest’s researcher James Xiang highlights Scattered Spider’s skills in understanding and navigating sophisticated cloud and on-premise environments.
11. **Follow-up**: There is an invitation to follow the reporting sources on Twitter and LinkedIn for more exclusive content.