Okta’s October Support System Breach Impacted 134 Customers

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

Okta, identity and access management solution provider, revealed last week that the security breach of October had affected 134 of its customers. Amongst them, 5 later suffered session hijacking attacks, due to stolen session tokens.

In the said post, the company revealed that between September 28, to October 17, 2023, an unknown attacker had gained access to files inside its customer support system. ‘’Some of these files were HAR files that contained session tokens which could in turn be used for session hijacking attacks,’’ the post revealed .

‘’The threat actor was able to use these session tokens to hijack the legitimate Okta sessions of 5 customers, 3 of whom have shared their own response to this event״, CSO David Bradbury explained.

The 3 Okta customers that had reported suspicious activity to it include 1Password, BeyondTrust, and Cloudflare. After being notified, Okta launched an investigation which revealed that service account credentials stored in the system itself, was leveraged to view and update customer support cases.

“During our investigation into suspicious use of this account, Okta Security identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop,” Bradbury stated. ‘’The username and password of the service account had been saved into the employee’s personal Google account,’’ he continued.

Although details were not shared about how the service account credentials were stolen by the threat actor, the company believes that either the employee’s personal device or Google account was compromised.

Since the incident, Okta has taken various remediation measures, including:

Disabling the compromised service account in the support system. Blocking the use of personal Google profiles with Google Chrome on Okta-managed devices. Enhancing customer support system monitoring by implementing additional detection and monitoring rules. The company has also introduced session token binding based on network location to prevent the risk of session token theft.

Hidden Spyware Detected in Multiple WhatsApp Mods

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

Third-party developed mods for instant messaging services have grown in popularity among users looking for additional features not found in the official client apps. However, most of these mods often come laden with hidden malware.

Discovered by researchers at Kaspersky, several previously harmless WhatsApp mods were found containing a spy module dubbed as Trojan-Spy.AndroidOS.CanesSpy.

According to the security researchers, the spy module operates by using the suspicious features – service and broadcast receiver, found in the trojanized mod. These features are not a part of the official WhatsApp program.

Upon deployment, the broadcast component listens for various system and application broadcasts, like charging of phones, files downloaded, and text messages. On receiving such messages, the receiver activates the spy module, generally when either the phone begins charging or it is turned on.

Meanwhile, the service component is responsible for selecting the command-and-control (C2) server (point of contact). Upon activation, the malicious implant sends device information, including the IMEI, phone number, mobile country code, mobile network code and more to the C2 server. Moreover, the spyware also gathers configuration details and transmits the victim’s contacts and accounts data every five minutes.

‘’After the device information is successfully uploaded, the malware starts asking the C&C for instructions, which the developers call “orders”, at preconfigured intervals (one minute by default),’’ the advisory stated .

During the investigation, it was noticed that all messages sent to the C2 server were in Arabic, suggesting that the developer spoke Arabic. Various dubious websites promoting these WhatsApp mods and popular Telegram channels, mostly in Arabic and Azeri languages were used to distribute the trojanized mods, discovered Kaspersky.

Related to this spyware mod, the cybersecurity solution provider is said to have blocked more than 340,000 attacks in over 100 countries, between October 5 and 31 alone. Its investigation further revealed that a high number of attacks were mainly recorded in countries like Azerbaijan, Saudi Arabia, Yemen, Turkey, and Egypt.

Kaspersky went on to advise users to use only the official messaging clients to secure their personal data. “Should you need the extra features, we advise that you use a reliable security solution that can detect and block the malware if the mod you chose proves to be infected,’’ the advisory recommended.