In December a leading provider of authentication services and Identity and Access Management (IAM) tools, Okta, reported a data breach of their private GitHub repositories. In this article we will provide a step-by-step explanation of what has happened, what impact it could have on their users, and what other threat incidents preceded this hacker attack.
What has happened?
According to Bleeping Computer, and their “confidential” resources, Okta’s source code has been stolen by malicious actors earlier this month. It concerns Okta Workforce Identity Cloud (WIC) code repositories. However, the attackers failed to get authorized access to the entire Okta service and their customer data because the company follows strict security means and doesn’t rely on its source code confidentiality. Thus, Okta’s HIPAA, FedRAMP or DoD customers can stay calm… or not? Let us remind that among Okta’s customers there are such ‘behemoths’ as FedEx, T-Mobile, Subaru, Pfizer, Mazda, Rakuten and other famous brands.
Here is what the Okta’s CSO, David Bradbury, wrote in the email to the company’s ‘security contacts,’ including IT admins: “No customer actions are required and the Okta service remains fully operational and secure.”
Was this source code theft predictable?
Were there any suspicious ‘bells’ to this incident? Definitely… Earlier in December GitHub notified Okta about some suspicious activity in Okta’s code repositories. The company’s security team investigated the received notification from the Cloud service provider and made a conclusion “that such access was used to copy Okta code repositories” – as stated in the email.
Once the Okta team found out about ‘possible suspicious access’ to their GitHub repositories, they immediately issued temporary access restrictions to their repos and postponed possible integrations between their GitHub environment and any third-party apps. Moreover, to be sure that threat couldn’t access the company or its customers’ data using “this” source code, Okta took the following measures:
- reviewed the recent access to Okta GitHub software repos
- checked all the latest commits to the company’s GitHub software repositories
- rotated GitHub credentials.
Okta security incidents: step-by-step overview
The year 2022 was a tough time when it comes to security incidents, and Okta is not an exception. The company suffered a few hacker attacks or failures. Let’s look at them in more detail.
January/March 2022 – Lapsus$ hackers’ attack
On April, 19th, David Bradbury, a CSO at Okta, made an advisory that in January they experienced a hacker attack that potentially impacted 366 Okta customers, yet later after a precise investigation of five-window of time, the company assumed that “impact of the incident was significantly less than the maximum potential impact” and lasted for “25 consecutive minutes.”
As it turned out during the investigation, on January 21st Lapsus$ hacking group managed to gain unauthorized remote access to a Sitel support engineer’s workstation. The threat actor was unable to perform any modifications to MFA or password resets and failed to access directly to any Okta accounts. However, the malicious group succeeded in accessing two active customer tenants within the SuperUser app. Moreover, the hacker group managed to view “limited additional information in certain other applications like Slack and Jira” (So, let’s not forget about Jira backup)
Well, the incident happened in January, why have we mentioned March in the heading? Because in March Lapsus$, a data extortion group, in their Telegram channel posted some screenshots with the catchy statement “of what it alleges to be access to Okta’s backed administrative console and customer data” (according to Bleeping Computer). After that incident, Okta started investigating the issue assuming that the hacker attack happened two months earlier.
September 2022 – threat actor’s attack on Okta subsidiary Auth0
Auth0 is an authentication platform owned by Okta which is used by over 2,000 enterprises to authenticate more than 42 million logins every day. The situation which happened to this service is a little bit similar to the recent one – some third-party threat actors could gain access to Auth0 source code repositories. Though, their motives were unknown. Let’s mention that the hostile actors gained access to multiple code repos from 2020 and earlier in the mentioned year. Okta found out about the incident via notification from some “third-party individual.”
The company immediately answered the threat and investigated the issue and even involved a third-party cyber security forensics firm, however, as they stated later: “Our investigation has not revealed any customer impact from this event, and no actions are required by our customers”.
How to limit such scenarios?
As a final takeaway from the incident, we can say that the security of GitHub repositories and metadata is a necessary measure for peace of mind. We can say for sure that it’s important for every company that uses GitHub as a git hosting service to understand, weigh and foresee possible risks. Among those dangers, we can name data breaches, hacker attacks, and human errors. Thus, companies should build a relevant security strategy, which can not exist without a proper GitHub backup and Disaster recovery software. Backup as a final line of data protection against ransomware and other possible risks ensures organizations with disaster recovery technologies to instantly restore source code from any point in time and guarantee workflow and business continuity. It also significantly reduces the costs associated with business downtime and ransom payment. In addition, such a solution is a requirement of many certification processes (SOC 2 or ISO 27001) and the Shared Responsibility Model so it’s recommended to have by GitHub itself.
In Okta’s scenario, attackers gained access to their repositories and stole their source codes. Such attacks are a real danger to any repositories. Attackers might also remove/wipe/erase repositories they accessed, and there is no other safeguard than reliable GitHub backup – said Greg Bak, Product Development Manager at GitProtect.io.
Conclusion
Security helps to create a healthy environment where your DevOps can build with peace of mind without interruption. Is it possible to avoid attacks as they happened to Okta? Unfortunately, nope… The threat actors for years have been using vulnerabilities to modify, demand a ransom, and steal and sell data on the darknet.
The most important is what security strategy the enterprise has, and what measures it takes to eliminate the risks.
So, do you still think that you don’t need backup software in place to protect your GitHub repositories and metadata? Try to change your mind and sign up for a 14-day free trial.
Top comments (0)