How Threat Actors Leveraged HAR Files To Attack Okta’s Customers

How Threat Actors Leveraged HAR Files To Attack Okta’s Customers

On October 19, 2023, Okta notified its customers of a security breach involving unauthorized access to their support system. This incident occurred when an external party obtained and misused Okta’s support service account credentials.
2023 年 10 月 19 日,Okta 通知其客户存在涉及未经授权访问其支持系统的安全漏洞。当外部方获取并滥用 Okta 的支持服务帐户凭据时,发生了此事件。

The investigation by Okta pinpointed the origin of the breach to a security lapse involving an Okta-managed laptop. An employee, using this laptop, logged into their personal Google account, where the Okta service account credentials were stored. It appears these credentials were subsequently accessed and misappropriated following the compromise of the employee’s personal account.
Okta的调查将漏洞的根源确定为涉及Okta管理的笔记本电脑的安全漏洞。一名员工使用这台笔记本电脑登录了他们的个人 Google 帐户,其中存储了 Okta 服务帐户凭据。在员工的个人帐户遭到入侵后,这些凭据随后被访问和盗用。

Okta’s analysis confirmed that the intruder could access and potentially download files associated with 134 customers’ support inquiries. This data included HAR Files, which were part of the materials submitted for support purposes.
Okta 的分析证实,入侵者可以访问并可能下载与 134 个客户的支持查询相关的文件。这些数据包括HAR文件,这些文件是为支持目的而提交的材料的一部分。

The attacker searched to obtain the contact details of Okta’s support customers. This query encompassed a range of fields, including:
攻击者搜索以获取 Okta 支持客户的联系方式。此查询包含一系列字段,包括:

  • Date of Account Creation
  • Most Recent Login 最近登录
  • Full Name 全名
  • Username 用户名
  • Email Address 电子邮件地址
  • Company Name 公司名称
  • User Type 用户类型
  • Residential Address 住址
  • Date of Last Password Modification or Reset
  • Role Title 角色名称
  • Role Description 角色描述
  • Telephone Number 电话号码
  • Mobile Number 手机号码
  • Time Zone 时区
  • SAML Federation Identifier
    SAML 联合标识符

Although 99.6% of Okta’s support system users have only their full name and email address registered, the attacker successfully compiled a comprehensive list of all Okta support customers who had filed a support ticket before September 28, 2023, at 15:06 UTC.
尽管 99.6% 的 Okta 支持系统用户只注册了他们的全名和电子邮件地址,但攻击者成功编制了一份完整的列表,列出了在 UTC 时间 2023 年 9 月 28 日 15:06 之前提交支持票证的所有 Okta 支持客户。

Timeline Of The HAR File And Data Exfiltration Breach Based On Okta’s Investigation:
基于 Okta 调查的 HAR 文件和数据泄露事件的时间表:

Date 日期 Event 事件
2023-09-29 1Password, an Okta client, reports about suspicious activity. Okta security team starts an investigation.
1Password 是 Okta 客户端,用于报告可疑活动。Okta 安全团队开始调查。
2023-10-02 BeyondTrust, another Okta client, also reports suspicious Okta activity.
另一个 Okta 客户 BeyondTrust 也报告了可疑的 Okta 活动。
2023-10-12 A third customer reports suspicious activity.
2023-10-13 BeyondTrust shares an IOC (IP address) with Okta.
BeyondTrust 与 Okta 共享一个 IOC(IP 地址)。
2023-10-16 Okta identifies an activity of a service account originating from a suspicious IP address.
Okta 识别源自可疑 IP 地址的服务帐户的活动。
2023-10-17 Okta took initial remediation steps:Disabling the compromised service account and revoke its’ sessionsRevoke sessions embedded in HAR files found to be downloaded by the threat actor.
Okta 采取了初步补救措施:禁用受损的服务帐户并撤销其会话撤销威胁参与者发现下载的 HAR 文件中嵌入的会话。
2023-10-18 Okta Security notifies a fourth Okta customer targeted by the adversary.
Okta Security 通知对手所针对的第四个 Okta 客户。
2023-10-19 Okta identifies more threat actor activity and revokes additional sessions embedded in HAR files downloaded by the adversary.
Okta 可识别更多威胁参与者活动,并撤销攻击者下载的 HAR 文件中嵌入的其他会话。
2023-10-19 Okta alerts all its customers with registered security contacts, confirming if the security incident impacted them or not.  
Okta 会向所有注册安全联系人的客户发出警报,确认安全事件是否影响了他们。
2023-10-20 Okta released the first public blog regarding the incident.

As Okta’s investigation continued, attention shifted to a particular type of file involved in the incident, a HAR file. HAR files, or HTTP Archive format files, are not just relevant to the Okta incident but hold significant importance in broader ITDR and cybersecurity contexts.
随着 Okta 调查的继续,注意力转移到事件中涉及的特定类型的文件,即 HAR 文件。HAR 文件或 HTTP 存档格式文件不仅与 Okta 事件相关,而且在更广泛的 ITDR 和网络安全环境中具有重要意义。

What Is HAR?  什么是 HAR?

A HAR file, short for HTTP Archive, is a file format used to capture and store detailed HTTP requests and responses between a web browser and a web page. This file can be exported using the browser’s developer tools and used primarily for debugging and troubleshooting purposes of HTTP traffic. For example, among other data points, the HAR file contains information regarding the client’s requested URLs and their responses, URL parameters, headers, and cookies.
HAR 文件是 HTTP Archive 的缩写,是一种文件格式,用于捕获和存储 Web 浏览器和网页之间的详细 HTTP 请求和响应。此文件可以使用浏览器的开发人员工具导出,主要用于 HTTP 流量的调试和故障排除。例如,在其他数据点中,HAR 文件包含有关客户端请求的 URL 及其响应、URL 参数、标头和 cookie 的信息。

The exporting process is simple and detailed across the internet by many companies, including Okta.
包括 Okta 在内的许多公司在互联网上的导出过程简单而详细。

The risk behind sharing HAR files
共享 HAR 文件背后的风险

Although designed for diagnostics, sharing HAR files outside a secure context poses significant risks, particularly concerning leaking sensitive information and the danger of session hijacking.
尽管专为诊断而设计,但在安全上下文之外共享 HAR 文件会带来重大风险,尤其是在泄露敏感信息和会话劫持危险方面。

These files may contain passwords, session cookies, or tokens, which are like digital keys to your online sessions. Specifically, when capturing traffic for Okta, the HAR files might contain active cookies, session IDs, SAML tokens, and other authentication data that can be reused for session hijacking or other types of attacks.
这些文件可能包含密码、会话 Cookie 或令牌,它们类似于在线会话的数字密钥。具体而言,在捕获 Okta 的流量时,HAR 文件可能包含活动 Cookie、会话 ID、SAML 令牌和其他身份验证数据,这些数据可以重新用于会话劫持或其他类型的攻击。

In short, and as simple as it sounds, an adversary with a cookie, that was extracted from a HAR file, can hijack the session without authenticating or presenting a factor. 
简而言之,听起来很简单,使用从 HAR 文件中提取的 cookie 的攻击者可以在不进行身份验证或呈现因素的情况下劫持会话。

For this exact reason, customers are advised to sanitize the archives before sharing them with anyone. The HAR sanitation process protects the users from exposing authentication parameters or other sensitive information from their recordings. Sanitization and ITDR preparation is possible with open-source projects (such as CloudFlare or Google)  and online tools.
出于这个确切的原因,建议客户在与任何人共享档案之前对其进行消毒。HAR 清理过程可防止用户从其记录中暴露身份验证参数或其他敏感信息。使用开源项目(如CloudFlare或Google)和在线工具可以进行清理和ITDR准备。

For example, let’s quickly review Google’s online HAR analyzer. Start by uploading a file:
例如,让我们快速回顾一下 Google 的在线 HAR 分析器。首先上传文件:

How Threat Actors Leveraged HAR Files To Attack Okta’s Customers

As we can see, each HTTP request and response that was recorded in the HAR can be clicked to view which headers and parameters were passed as part of the request.

Abusing Non-Sanitized Okta HAR File (Demo)
滥用未经清理的 Okta HAR 文件(演示)

In this demo, we recorded a sign-in of an Okta administrator and exported the logs into a HAR file. We used the HAR file to hijack the administrative session without re-authenticating. To do so, we must find the correct HTTP request for the Okta tenant.
在此演示中,我们记录了 Okta 管理员的登录,并将日志导出到 HAR 文件中。我们使用 HAR 文件劫持了管理会话,而无需重新进行身份验证。为此,我们必须为 Okta 租户找到正确的 HTTP 请求。

When administrators log in to the Okta admin dashboard, they are redirected to a page with the URL ‘admin/getting-started’. If we search for this string in our recorded session, we get the following requests:
当管理员登录到 Okta 管理控制面板时,他们将被重定向到 URL 为“admin/getting-started”的页面。如果我们在录制的会话中搜索此字符串,我们会收到以下请求:

We can see that the administrator logged in successfully since the HTTP response to the admin welcome page is ‘200’.
我们可以看到管理员已成功登录,因为对管理员欢迎页面的 HTTP 响应为“200”。

If we click on this specific response, we can examine the corresponding request and its headers:

All we need to do now is to replay that exact HTTP request. We open a new browser, with a local web proxy (Burp) that will intercept the requests. We then changed the original request headers to match those from the HAR file:
我们现在需要做的就是重放那个确切的 HTTP 请求。我们打开一个新的浏览器,使用本地 Web 代理 (Burp) 来拦截请求。然后,我们更改了原始请求标头,以匹配 HAR 文件中的请求标头:

How Threat Actors Leveraged HAR Files To Attack Okta’s Customers

When we forward the request, our browser sends the exact request, and the result is successful. At this point, we have an active session in the Okta admin dashboard, and we have full control of the tenant as long as additional authentication is not required:
当我们转发请求时,我们的浏览器会发送确切的请求,结果就成功了。此时,我们在 Okta 管理仪表板中有一个活动会话,只要不需要额外的身份验证,我们就可以完全控制租户:

How Threat Actors Leveraged HAR Files To Attack Okta’s Customers

Does The HAR File And Data Exfiltration Breach Impact Me?
HAR 文件和数据泄露漏洞会影响我吗?

The adversary accessed support files related to 134 Okta customers.Okta has already contacted you to inform you about the incident if you are one of these customers. 
攻击者访问了与 134 个 Okta 客户相关的支持文件。如果您是这些客户之一,Okta 已经与您联系以通知您有关此事件的信息。

In this case, you can use Okta’s IOCs (Appendix A) to hunt for suspicious activity in your organization.
在这种情况下,您可以使用 Okta 的 IOC(附录 A)来搜寻组织中的可疑活动。

According to Okta, the adversary also downloaded a report containing the contact information of all Okta support users. In 99.6% of the users in the list, the only contact information is their full name and email address. This information can be used for social engineering campaigns like phishing that target the contacts in that list.
根据 Okta 的说法,攻击者还下载了一份报告,其中包含所有 Okta 支持用户的联系信息。在列表中 99.6% 的用户中,唯一的联系信息是他们的全名和电子邮件地址。此信息可用于针对该列表中的联系人的社会工程活动,例如网络钓鱼。

Your contact information was leaked if you created an Okta support ticket before September 28, 2023, at 15:06 UTC.
如果您在 UTC 时间 2023 年 9 月 28 日 15:06 之前创建了 Okta 支持票证,则您的联系信息将被泄露。

Okta Mitigations To Prevent Hijacking
防止劫持的 Okta 缓解措施

Though the Okta HAR breach is recent, the concept of session hijacking is not, and there are a few Okta configurations that can be set to minimize the risk of your session being hijacked.
尽管 Okta HAR 漏洞是最近才发生的,但会话劫持的概念并非如此,并且可以设置一些 Okta 配置,以最大限度地降低会话被劫持的风险。

Configure The Global Session Policy to Limit Session Lifetime

With proper global session policy, all sessions will have a time limit of a few hours. It means that even if a valid session cookie is stolen from your environment, it will be revoked after the set time limit.

To configure, follow these steps:

  1. In the admin dashboard, navigate to Security > Global Session Policy.
  2. Edit your rules and enforce the following configuration:
  • Maximum Okta global session lifetime should be limited to a few hours
    最长 Okta 全局会话生存期应限制为几个小时
  • Maximum Okta global session idle time should be limited to a few hours
    最大 Okta 全局会话空闲时间应限制为几个小时
  • Okta global session cookies do not persist across browser sessions
    Okta 全局会话 Cookie 不会在浏览器会话中持续存在

Configure Admin Session Binding

An early access feature by Okta, that requires administrators to re-authenticate if their session is being reused from a different ASN, and reduces the chances for session hijacking.
Okta 的一项抢先体验功能,要求管理员在从其他 ASN 重用其会话时重新进行身份验证,并减少会话劫持的机会。

To configure, follow these steps:

  1. In the admin dashboard, navigate to Settings > Features.
  2. Under the Early Access section, search for a feature called “Bind Admin Sessions to ASN” and toggle it on.
    在抢先体验部分下,搜索名为“将管理员会话绑定到 ASN”的功能并将其打开。

With the above feature turned on, every session of an Okta administrator is bound to the origin of the initial administrative login. In case the session is hijacked from a different geographic location, the adversary will be prompted for login even if the session is still valid.
启用上述功能后,Okta 管理员的每个会话都将绑定到初始管理登录的来源。如果会话从不同的地理位置被劫持,即使会话仍然有效,也会提示对手登录。

Note: VPN services might also affect this feature. An administrator with an active session who logged in to a VPN service must re-authenticate.
注意:VPN 服务也可能影响此功能。具有活动会话的管理员登录到 VPN 服务时,必须重新进行身份验证。

Configure Best Practices for Authentication Policies 

Even though it would not prevent the initial access, it will reduce the adversary’s ability to perform lateral movement and reduce the risk of compromising additional identities.

  • Enforce MFA 强制执行 MFA
  • Enable Phishing Awareness
How Threat Actors Leveraged HAR Files To Attack Okta’s Customers

Detection Of Hijacked Session

Rezonate can use Okta’s audit logs to look for indications of session theft, as they have a field named authenticationContext.externalSessionId that can be used for aggregating activity by a user session. Using this field, Rezonate can hunt for an externalSessionId that is being used from two different geographic locations. If one of these geographic locations is anomalous, you should take immediate action and revoke the user sessions from the Okta admin console. Discover how Reazonate can assist you with Hijacking detection and overall ITDR today.
Rezonate 可以使用 Okta 的审计日志来查找会话盗窃的迹象,因为它们有一个名为 authenticationContext.externalSessionId 的字段,可用于聚合用户会话的活动。使用此字段,Rezonate 可以搜寻从两个不同地理位置使用的 externalSessionId。如果其中一个地理位置异常,您应立即采取措施,并从 Okta 管理控制台撤消用户会话。立即了解 Reazonate 如何帮助您进行劫持检测和整体 ITDR。

原文始发于Roy Akerman:How Threat Actors Leveraged HAR Files To Attack Okta’s Customers

版权声明:admin 发表于 2024年1月22日 下午7:02。
转载请注明:How Threat Actors Leveraged HAR Files To Attack Okta’s Customers | CTF导航