Starting March 22, news began circulating regarding an alleged Okta hack by a ransomware group. We hope that investigation will find this a fraudulent act or a minor impact incident.
On March 24, OKTA announced this hack has directly addressed the affected customers.
Nevertheless, our team still recommends running through the following check to assure your business is safe.
Yet, this article will provide some immediate measures you can take concerning your OKTA identity infrastructure.
From the available evidence, represented by a couple of screenshots from the attacker, timestamped to January 21, 2022, we see internal admin tools.
The privilege is likely obtained through social engineering, targeting an okta IT admin, not a technical nature or system vulnerability.
Until further notice from Okta’s investigation, we recommend taking the following actions:
- Investigate the Okta System Log for the following Events, and see if any entry has an Actor that is not an admin in the Okta tenant or is marked as “Okta System“:
- eventType eq “user.mfa.factor.deactivate”
- eventType eq “user.account.update_password”
- Revoke Okta Support access until further notice
- [Update, March 24] Check that no new admins were added during the period.
We will continue to update you as Okta provides any more details and their future preventative plans.
For any questions, don’t hesitate to contact us.
Credit: Razvan Negri, Okta Consultant.