Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Matt Johansen Profile picture
@mattjay
Oct 24, 2023 17 tweets 5 min read Read on X
Scrolly
Okta got hacked. Leading to impact for CloudFlare, 1Password, and BeyondTrust.

Here's everything we know about it:
Okta’s support system was compromised, allowing unauthorized access to sensitive files uploaded by customers.

Notably, Okta did not discover the breach themselves; it was independently detected by BeyondTrust and Cloudflare. Image
BeyondTrust detected an identity-centric attack on October 2, 2023, which led them to believe that Okta’s support system was compromised.

They alerted Okta, but it took until October 19 for Okta to confirm the breach. Image
Cloudflare discovered attacks traced back to Okta on October 18, 2023. They were able to contain the attack, ensuring no customer information or systems were impacted.

Cloudflare contacted Okta about the breach before Okta had notified them. Image
1Password has released an incident report that goes into a lot of detail about what they saw and how they responded. Image
I'm a bit concerned that a privileged member of 1Password staff's endpoint didn't have Yubikey enforced until post this incident.

And free version of Malwarebytes also doesn't instill a ton of confidence. Image
What led to the breach to begin with?

Speculation beyond "stolen credentials," but it all started on their support portal.

Okta support often requests customers to upload HTTP Archive (HAR) files for troubleshooting.

HAR files can contain sensitive info like session tokens. Image
Upon being notified of the incident, Okta revoked any of the embedded session tokens.

Okta also advised users to sanitize HAR files by removing sensitive data before sharing. Image
My opinion: This HAR file sanitization is not the burden of the customer.

Okta needs to have a better process here. Image
The breach primarily affected Okta’s support case management system.

Other systems, including the Okta service and the Auth0/CIC case management system, remain unaffected by this incident. Image
It is reported that 170 of Okta's customers were impacted as a way to downplay the impact.

But we know about 3 of them and they are CloudFlare, BeyondTrust, and 1Password - not a small impact even if many Okta customers weren't involved. Image
Okta has provided IoCs to help customers identify potential malicious activity.

This includes a list of IP addresses and user agents that might be associated with the malicious activities. Image
Remaining Questions - Who are the other companies impacted?

Did they respond as well as CloudFlare, BeyondTrust, and 1Password?
Want to stay on top of news like this?

Join over 5k pros who trust me to give them what they need to know every week in cybersecurity:

vulnu.mattjay.com
Sources: Beyond Trust Blog: beyondtrust.com/blog/entry/okt…
CloudFlare Blog - blog.cloudflare.com/how-cloudflare…
Okta announcement - sec.okta.com/harfiles

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Matt Johansen

Matt Johansen Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @mattjay

Matt Johansen Profile picture
Jun 17
Breaking: House Oversight's top Dem Rep. Lynch requests Microsoft provide info on DOGE staffer's GitHub repo.

It allegedly contains code to extract data from the NLRB's case management system. Image
Key context: This follows whistleblower Daniel Berulis's disclosure about ~10GB of data exfiltrated from NLRB's NxGen system.

DOGE engineer Jordan Wick's repo "NxGenBdoorExtract" was made private before investigation. Image
The alleged extraction code was hosted on Microsoft-owned GitHub.

Rep. Lynch specifically wants details about attempts to "conceal activities, obstruct oversight, and shield from accountability." Image
Read 8 tweets
Matt Johansen Profile picture
Jun 9
U.S. labs keep finding *undocumented* cellular radios hidden inside some Chinese-made solar inverters & battery packs

Those radios give the gear a second, undocumented path to the internet. Global governments are reacting already: 🧵 Image
Inverters already need remote access for firmware updates, so utilities put them behind firewalls.

A covert LTE module can hop right over that barrier, reach a cloud service in China, and issue commands the operator never sees.
Security teams have confirmed multiple makes and models with these extra radios in the last nine months.

The labs aren’t saying how many units they’ve torn down. Only that the problem spans *several* suppliers. Image
Read 15 tweets
Matt Johansen Profile picture
May 5
TeleMessage, the company behind the modified Signal client used by Trump admin officials, has been breached.

Attacker claims the hack took "15-20 minutes" with minimal effort. Image
TeleMessage creates modified versions of Signal/WhatsApp/Telegram that archive messages for gov agencies.

Recently made headlines when National Security Advisor Waltz was photographed using it. Image
A hacker accessed unencrypted message contents, contact info of gov officials, admin credentials, and customer data.

Notably includes CBP, Coinbase, and other financial institutions. Image
Read 10 tweets
Matt Johansen Profile picture
Apr 18
🧵 THREAD: A federal whistleblower just dropped one of the most disturbing cybersecurity disclosures I’ve ever read.

He's saying DOGE came in, data went out, and Russians started attempting logins with new valid DOGE passwords

Media's coverage wasn't detailed enough so I dug into his testimony:Image
Who’s the whistleblower?

Daniel Berulis — a senior DevSecOps architect at the National Labor Relations Board (NLRB), formerly with TS/SCI clearance.

He just told Congress the Department of Government Efficiency (DOGE) pulled off a covert cyber op inside a federal agency. Image
DOGE demanded root access.
Not auditor access. Not admin.

They were given “tenant owner” privileges in Azure — full control over the NLRB’s cloud, above the CIO himself.
This is never supposed to happen. Image
Read 13 tweets
Matt Johansen Profile picture
Mar 5
MSFT released new research on Silk Typhoon's supply chain attacks.

Key shift: Group now heavily leveraging stolen API keys and PAM credentials to hit downstream customers, particularly state/local gov and IT sector targets.

Here's what we know 🧵
Initial access vectors include 0days, compromised third-party services, and password spraying.

Notable: Found several instances of corporate creds exposed via public GitHub repos being used in attacks. (They should be following @InsecureNature) Image
@InsecureNature Post-compromise, actors use stolen API keys to access downstream customer environments.

Primary focus: Data collection related to China interests, US gov policy, and LE investigations. Image
Read 8 tweets
Matt Johansen Profile picture
Feb 11
Hackers are using Google Tag Manager (GTM) to inject credit card skimmers into E-commerce sites.

At least 6 compromised sites identified so far. Here's what we're seeing. 👇
Malicious GTM script reference (GTM-MLHK2N68) stored in Magento's cms_block.content table.

Attackers using GTM as delivery mechanism to bypass security controls. Image
Obfuscated JS skimmer activates on checkout pages, exfiltrating card data to C2 domain eurowebmonitortool[.]com.

Additional persistence achieved via PHP backdoor in media/index.php allowing remote code execution through base64-encoded commands.

Gives attackers ongoing access post-cleanup.Image
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(