Bilgesu Erdem
Identity services giant, Okta, recently announced a security breach in its support case management system. The unidentified culprits used stolen credentials, gaining access to files uploaded by Okta customers during recent support interactions. Importantly, the company’s production service remained untouched, and the Auth0/CIC case management system stood clear from the breach’s ramifications. The customers affected have been alerted.
Worryingly, the breached customer support system was equipped to handle HTTP Archive (HAR) files, used to imitate end user or administrator errors. These HAR files can house sensitive data like cookies and session tokens, which, when misused, can allow hackers to impersonate legitimate users. As a countermeasure, Okta collaborated with affected customers to revoke any compromised session tokens.
Despite the alert, the magnitude of the intrusion remains shrouded in mystery. Still, as of March 2023, Okta boasts a clientele of over 17,000, overseeing approximately 50 billion users. Two of these clients, BeyondTrust and Cloudflare, acknowledged their recent targeting within this breach.
Cloudflare elaborated that a malevolent actor hijacked a session token from a support ticket initiated by one of their employees. By October 18, this token gave them unauthorized access to Cloudflare’s systems. The assailant went as far as compromising two separate Cloudflare employee accounts within Okta’s environment. However, Cloudflare ensured no client data or systems fell victim.
In contrast, BeyondTrust perceived the breach by October 2, 2023. Indications suggest that the cyber attackers had access to the support systems for nearly two weeks, at least until October 18. When BeyondTrust’s Okta administrator uploaded a HAR file on October 2, suspicious activities surrounding a session cookie surfaced in less than half an hour. Nevertheless, BeyondTrust detected and countered the threat in real-time, sparing its infrastructure and clientele any negative implications.
Okta’s stature in the cyber realm hasn’t made it immune to security oversights. Their single sign-on services, widely utilized by global corporations, has inevitably painted a target on their back, with several hacking attempts over recent years.
Quasar RAT’s Stealthy Operations
Uptycs researchers unveiled a stealthy data extraction method employed by the open-source remote access trojan, Quasar RAT. This malware capitalizes on DLL side-loading, manipulating the trust Windows places in certain files. Renowned as CinaRAT or Yggdrasil, this remote administration tool amasses data including system information, active applications, keystrokes, and even screen captures.
DLL side-loading dupes a system by inserting a falsified DLL file that mimics the one a benign executable seeks. Quasar RATโs attack mechanism starts with an ISO image, housing a legitimate binary, a concealed malicious code, and a misnamed MsCtfMonitor.dll. This sequence culminates in launching the final Quasar RAT payload.
Regrettably, the identity of the culprits and their infiltration methods remain unclear. The common assumption tilts towards phishing emails as the initial access vector, urging users to be vigilant against suspicious emails and attachments.
It’s undeniable that cyberattacks are growing in sophistication, targeting key players in the online realm. Okta’s intrusion demonstrates the multi-faceted threats even established corporations face. Meanwhile, Quasar RAT’s sneaky maneuvers signify the increasing ingenuity of malware techniques. In this digital age, the call for stringent cybersecurity measures is louder than ever.
