Cloudflare Mitigates Okta Compromise and Introduces HAR Sanitizer Tool

Severity: Medium (Score: 54.9)

Sources: Cloudflare.Tv, blog.cloudflare.com

Summary

On October 18, 2023, Cloudflare detected an attack originating from a compromised authentication token at Okta. The attackers accessed Cloudflare's Okta instance using session tokens from support tickets, but no customer data was impacted due to rapid response from Cloudflare's Security Incident Response Team (SIRT). This incident marks the second breach linked to Okta, following a previous incident in March 2022. In response, Cloudflare has launched a HAR Sanitizer tool to secure the sharing of HTTP Archive files, which can contain sensitive information. The tool is available for free to all organizations, not just Cloudflare customers. Okta has acknowledged the breach and is urged to improve its security measures to prevent future incidents. Key Points: • Cloudflare's SIRT detected an attack from a compromised Okta authentication token. • No customer data was impacted due to Cloudflare's rapid incident response. • Cloudflare released a free HAR Sanitizer tool to enhance security for HAR file sharing.

Key Entities

• Data Breach (attack_type)
• Cloudflare (company)
• Okta (company)
• Zendesk (company)
• CWE-200 - Exposure of Sensitive Information (cwe)
• CWE-287 - Improper Authentication (cwe)
• systems.no (domain)
• T1078 - Valid Accounts (mitre_attack)
• T1133 - External Remote Services (mitre_attack)
• T1539 - Steal Web Session Cookie (mitre_attack)
• Drive (platform)
• JIRA (platform)
• O365 (platform)