Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Matt Johansen Profile picture
@mattjay
Oct 24, 2023 17 tweets 5 min read Read on X
Scrolly
Okta got hacked. Leading to impact for CloudFlare, 1Password, and BeyondTrust.

Here's everything we know about it:
Okta’s support system was compromised, allowing unauthorized access to sensitive files uploaded by customers.

Notably, Okta did not discover the breach themselves; it was independently detected by BeyondTrust and Cloudflare. Image
BeyondTrust detected an identity-centric attack on October 2, 2023, which led them to believe that Okta’s support system was compromised.

They alerted Okta, but it took until October 19 for Okta to confirm the breach. Image
Cloudflare discovered attacks traced back to Okta on October 18, 2023. They were able to contain the attack, ensuring no customer information or systems were impacted.

Cloudflare contacted Okta about the breach before Okta had notified them. Image
1Password has released an incident report that goes into a lot of detail about what they saw and how they responded. Image
I'm a bit concerned that a privileged member of 1Password staff's endpoint didn't have Yubikey enforced until post this incident.

And free version of Malwarebytes also doesn't instill a ton of confidence. Image
What led to the breach to begin with?

Speculation beyond "stolen credentials," but it all started on their support portal.

Okta support often requests customers to upload HTTP Archive (HAR) files for troubleshooting.

HAR files can contain sensitive info like session tokens. Image
Upon being notified of the incident, Okta revoked any of the embedded session tokens.

Okta also advised users to sanitize HAR files by removing sensitive data before sharing. Image
My opinion: This HAR file sanitization is not the burden of the customer.

Okta needs to have a better process here. Image
The breach primarily affected Okta’s support case management system.

Other systems, including the Okta service and the Auth0/CIC case management system, remain unaffected by this incident. Image
It is reported that 170 of Okta's customers were impacted as a way to downplay the impact.

But we know about 3 of them and they are CloudFlare, BeyondTrust, and 1Password - not a small impact even if many Okta customers weren't involved. Image
Okta has provided IoCs to help customers identify potential malicious activity.

This includes a list of IP addresses and user agents that might be associated with the malicious activities. Image
Remaining Questions - Who are the other companies impacted?

Did they respond as well as CloudFlare, BeyondTrust, and 1Password?
Want to stay on top of news like this?

Join over 5k pros who trust me to give them what they need to know every week in cybersecurity:

vulnu.mattjay.com
Sources: Beyond Trust Blog: beyondtrust.com/blog/entry/okt…
CloudFlare Blog - blog.cloudflare.com/how-cloudflare…
Okta announcement - sec.okta.com/harfiles

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Matt Johansen

Matt Johansen Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @mattjay

Matt Johansen Profile picture
Oct 10
New series of Palo Alto Networks vulnerabilities, chained together for a bad time.

“We find that a simple request to that exact endpoint over the web service resets the admin password.”

Well, I don’t like the sound of that… 🧵 Image
First up -

CVE-2024-9464 is an OS command injection vulnerability in Palo Alto Networks Expedition

This allows an authenticated attacker to run arbitrary OS commands as rootImage
Next -

CVE-2024-9465 is an SQL injection vulnerability in Palo Alto Networks Expedition

This allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys.Image
Read 7 tweets
Matt Johansen Profile picture
Oct 5
So U.S. uses backdoors in it's own Internet providers to spy on it's citizens.

China says "don't mind if we do" and backdoors the backdoors.

They sat for months undetected on the U.S. wiretap system for Verizon, AT&T, and more...
Who watchers the watchers? Turns out China does.

My summary:

vulnu.com/p/government-w…
Good thread too:

Read 4 tweets
Matt Johansen Profile picture
Sep 26
Woah. Millions of cars can be hacked just by knowing the license plate number.

This is done through a simple web app bug too, no complicated car hacking involved.

I also don't think it's fixed yet... 🧵 Image
The bug seems to impact all Kias right now and the researchers didn't disclose a PoC since it isn't fixed but it's been 90 days since disclosure so they're talking about it. Image
With just a license plate number, they found a way to use the web portal that dealers and customers use to setup smart car features to ...do a lot more.

Including unlocking, tracking location, even starting the car. Image
Read 12 tweets
Matt Johansen Profile picture
Sep 3
This is an absolutely wild one by @iangcarroll and @samwcyo

The most basic SQL injection ever in the Known Crewmember (KCM) and Cockpit Access Security System (CASS) used by airlines and TSA.

Literally ' OR 1=1 got them admin access. Here's what we know:
@iangcarroll @samwcyo The vulnerability was found in FlyCASS, a web-based interface used by smaller airlines to manage KCM and CASS.

A simple SQL injection in the login page allowed unauthorized access to the admin panel for Air Transport International. Image
@iangcarroll @samwcyo Once inside, the Ian and Sam discovered they could add or modify employee records without any additional authentication.

This meant they could potentially add anyone as an authorized to this system. Or swap exting pilot's photos. Image
Read 11 tweets
Matt Johansen Profile picture
Aug 30
⚠️ Breaking: North Korea just burned an 0-Day in Chromium.

They used it to install a Windows rootkit and the campaign targeted cryptocurrency platforms and users.

Here's what we know:
Microsoft reports that a North Korean hacking group, Citrine Sleet, exploited a previously unknown Chromium bug to target crypto organizations just a few days ago. Image
The zero-day was in a core engine within Chromium, affecting Chrome and other browsers like Edge.

Google patched the bug on August 21, two days after the initial exploitation. Image
Read 10 tweets
Matt Johansen Profile picture
Aug 29
Google uncovered evidence that Russian government hackers (APT29) are using exploits "identical or strikingly similar" to those developed by spyware companies Intellexa and NSO Group.

And we don't know how they got their hands on it...

Here's what we know: 🧵
APT29 should sound familiar. Re: Microsoft and Solarwinds hacks.

They're patient and persistent. Pair that with incredibly skilled and well funded and this is a deadly combo. Image
NSO Group is the maker of Pegasus spyware

Intellexa is behind Predator spyware.

Both are sanctioned by the US government Image
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(