Following our latest update, we continued with the threat-focused hunting efforts, looking for suspicious logins.
Relevant hits that require your attention will be mentioned in the AXON report.
Additionally, we have published two new queries for identifying users with usernames above 52 characters, and a threat hunting query for suspicious logins.
Axon reports have also been published for Team Axon customers, including the updated list of deliverables.
Sincerely, Team Axon.
Posted Nov 07, 2024 - 17:54 UTC
Investigating
Team Axon is aware of a vulnerability that affected Okta and would have allowed threat actors, under certain conditions, to authenticate without supplying a password.
The vulnerability was already addressed and patched by Okta, according to Okta, it was exploitable between July 23rd, 2024 to October 30th, 2024 and required the following pre-conditions for an account to be vulnerable: - Okta AD/LDAP delegated authentication is used - MFA is not applied - The username is 52 characters or longer - The user previously authenticated creating a cache of the authentication - The cache was used first, which can occur if the AD/LDAP agent was down or cannot be reached, for example, due to high network traffic
The team is actively searching for evidence of exploitations of this vulnerability in our customers’ environments.In case of identification of impacted customers, they will be notified directly.
Please don’t hesitate to contact us for further assistance or any relevant questions.