A new post-exploitation attack vector has been discovered in software audit logs by enterprise identity solutions provider Okta that allows a potential attacker to read user passwords and credentials.
The method was discovered by forensic expert Mitiga and discussed in an advisory the team released today.
“An adversary with access to Okta audit logs, whether obtained directly from the admin console or from any other system to which logs are sent, will have the Okta user passwords,” writes Okta security researcher Doron. Karmi or Aspir.
From a technical perspective, the flaw stems from the way the Okta system records failed login attempts to instances.
“While it may seem like a special case, this type of password mistake is common among users and poses a risk to many Okta customers as a result,” reads the report.
Karmi and Aspir believe that information obtained in this manner allows an attacker to compromise Okta user accounts and gain access to accessible resources and applications, effectively expanding the potential impact of an attack. I warned you that there is potential.
“By knowing user credentials, an attacker can attempt to log in as those users to various platforms in an organization using Okta single sign-on (SSO). It could be used to escalate privileges if the user password is exposed,” the researchers added.
Learn more about SSO security here: Initial Access Broker Activity Doubles in One Year
The advisory also suggests that potentially affected organizations review their use of log analysis platforms or SIEMs (Security Information and Event Management) where Okta logs are stored.
“This kind of security risk can occur in any organization that uses Okta for identity and access management,” write Karmi and Aspir. “We have created a SQL query to help companies identify these potential password leaks.”
Additionally, security researchers recommend that businesses use multi-factor authentication (MFA), implement access control and monitoring options in their SIEM, and educate end users.
In response to Mitiga’s disclosure, Otka confirmed the effectiveness of the exploitation method and provided additional recommendations for mitigating potential attacks based on it.
The Mitiga advisory comes months after Group-IB security researchers uncovered information about a phishing campaign targeting 2FA code connected with Okta ID credentials.
Editorial image credit: T. Schneider / Shutterstock.com
