Some source code of identity and access management provider Okta has reportedly been stolen from its private GitHub repositories, says the Bleeping Computer news service.
The site said it has obtained a security incident notification Okta has been emailing its security contacts. The site also says it has confirmed that multiple sources, including IT administrators, have received the same Okta email notification.
The email, from chief security officer (CSO) David Bradbury, says the company was told by GitHub about suspicious activity earlier this month and then discovered the attack.
The attacker didn’t access customer data or the Okta service, Bradbury said. The stolen code involves Okta Workforce Identity Cloud (WIC) and not any Auth0 (Customer Identity Cloud) products, he added.
It’s the second theft of code the company has reported in four months. In August, a person notified Okta that they possessed a copy of certain Auth0 code repositories dating from October 2020 and earlier. “We immediately launched a thorough internal investigation and enlisted the services of a leading third-party cybersecurity forensics firm. Both investigations, recently concluded, confirmed that there was no evidence of unauthorized access to our environments, or those of our customers, nor any evidence of any data exfiltration or persistent access.”
The company said it has taken steps to ensure that this code cannot be used to access Okta or customer environments. It has also notified law enforcement.
Okta bought Auth0, a cloud-based single-sign-on access management provider, in 2021. It isn’t clear from the Okta statement when the person acquired the Auth0 code, only that it wasn’t through customers or access to systems controlled by Okta.
Okta would be considered a prime target for threat actors. Enterprises around the world depend on it for providing universal, single-sign-on and passwordless login services protected with multifactor authentication.
Its most recent product is Okta for US Military, a new identity environment built for the U.S. Defense Department on Amazon AWS.
Okta was the victim of a third-party hack in January when the Lapsus$ extortion gang breached the IT environment of Twillio and used their access to steal one-time passwords sent via text message to Okta customers. Okta later apologized for not publicly responding fast enough when news of that attack broke.
“This time Okta’s reaction seems to be much faster and more professional compared to the January incident,” says Ilia Kolochenko, founder of ImmuniWeb.
“The consequences of this security incident may seem insignificant,” he added. “However, access even to a small part of the source code may have a domino effect on the organization. Oftentimes, some parts of source code is shared among different products, offering attackers a plethora of unique opportunities to reverse engineer business-critical software and find zero-day vulnerabilities.
“Likewise, modern source code still contains numerous hardcoded secrets, such as database passwords or API keys, despite the growing implementation of more secure mechanisms to handle secrets. This incident is a telling example that cybercriminals are now actively targeting their victims’ CI/CD [continuous integration/development] pipelines that have become prevalent in a corporate environment, whilst being largely underprotected due to the novelty and comparative complexity of the technology. We should expect more similar attacks in 2023.”
Having source code can make it easier for a threat actor to find vulnerabilities, Johannes Ullrich, director of research at the SANS Institute, said in an interview. But, he added, exploiting them depends on how good Okta is at scanning its code before making products live. “If they do their due diligence, the attacker should not have any easier time finding vulnerabilities than Okta has.”
