Intruders copied source code belonging to Okta after breaching the identity management company’s GitHub repositories.
Okta was alerted by Microsoft-owned GitHub earlier this month of “suspicious access” to its code repositories and determined that miscreants copied code associated with the company’s Workforce Identity Cloud (WIC), an enterprise-facing access and identity management tool to enable workers and partners to work from anywhere.
The company said in a statement this week that its investigation found there was no breach of WIC service itself or unauthorized access to customer data, including that of HIPAA, FedRAMP, or Department of Defense customers.
In addition, Okta said it doesn’t need the source code to remain confidential to secure its services, so it is still operational and secure.
Officials also said the breach didn’t touch on Auth0 and or Okta’s Customer Identity Cloud for consumer and software-as-a-service (SaaS) applications. Okta bought Auth0 last year for $6.5 billion in a deal that brought together two high-profile identity and access management (AIM) vendors.
After learning of the suspicious access, the vendor put temporarily restricted access to Okta’s GitHub repositories and suspended GitHub integrations with third-party applications.
“We have since reviewed all recent access to Okta software repositories hosted by GitHub to understand the scope of the exposure, reviewed all recent commits to Okta software repositories hosted with GitHub to validate the integrity of our code, and rotated GitHub credentials,” Okta said, adding that law enforcement also was notified.
Matt Mullins, senior security researcher at cybersecurity firm Cybrary, told The Register in an email that Okta’s GitHub breach is only the latest example of cybercriminals aiming at developers and code when moving upstream to look for potential victims in supply chain attacks.
“Getting access to these systems gives an APT [advanced persistent threat] group the benefit of having ‘early access’ to their targets and research vulnerabilities (such as obviously flaws in code), secrets (such as hardcoded creds in scripts), or misconfigurations (such as obvious anti-patterns in configurations),” Mullins said.
He added that with services like Okta’s being so important to enterprises, “it should be no shocker that attackers will continue to target the ‘security’ provider. Who watches the watchmen?”
Okta has been a target of miscreants this year. In January the company was attacked by the high-profile Lapsus$ extortion group, which was able to access Okta’s internal systems after gaining access via a worker’s workstation. Officials later in the year essentially said the attack would’ve been much worse had it not implemented a zero-trust policy.
In August, cybersecurity firm Group-IB identified a massive phishing campaign that began in March and was dubbed Oktapus. It was aimed at stealing Okta identity credentials and two-factor authentication (2FA) codes from users at more than 130 targeted organizations – including Twilio and Cloudflare – and then attacking their customers.
In September, Auth0 – which operates as an independent company – said there was a “security event” involving repositories pertaining to code from October 2020 and earlier, before the Okta acquisition. However, the company said there was no evidence of that its environment or those of customers had been accessed, that data had been stolen, or that there were crooks in its systems. ®