Dear customers, Team Axon is aware of the latest publications around Okta being breached and is assessing the measures to be implemented in order to make sure you are not affected. As reported by Okta, the breach resulted in the leakage of SSO tokens of several Okta customers.
In case you were explicitly reached out by the Okta team regarding a possible compromise in your environment, please follow the Okta team’s instructions and implement their suggested measures.
IP IOCs can be searched for in the Hunters’ Platform IOC Search engine for your convenience, to help find evidence for them in other data sources as ingested into Hunters' Platform.
We also recommend focusing on leads generated by “Potential SSO Hijack” and “Okta Successful Administrative Access from Host Without an EDR Agent” for any malicious admin activity related to the breach.
It is suggested to make sure that your environment has the required measures in place, to prevent any impact from occurring or escalating by any 3rd party breaches.
Hygiene Recommendations - Add and tighten existing policy controls in Okta to restrict access to the admin console. - Consider adjusting Okta's global session policy to issue an MFA challenge at every sign-on. It will prevent attackers with a stolen cookie from accessing the main dashboard. - Limit the lifetime length of Okta sessions. - Be aware that admin API actions authenticated via session cookie are only covered by the Global Session Policy, which is often less restrictive than other policies. - Be aware that session hijacking allows attackers to bypass MFA. However, it’s a good opportunity to make sure no user account is left behind. - Require strong hardware MFA for all Okta admins to prevent token hijacking via attacker-in-the-middle phishing.