Okta, a leading provider of authentication services and Identity and Access Management (IAM) solutions, confirmed that its private GitHub repositories were hacked this month. According to an email notification reported by BleepingComputer, and later confirmed by Okta security post, the incident involves threat actors stealing Okta's source code. The leaked Okta source code pertains to the Workforce Identity Cloud repository and does not pertain to any Auth0 (Customer Identity Cloud) products.
After a thorough investigation, ThreatLabz determined that Zscaler has not been impacted by the Okta breach. While Zscaler does use Okta internally for employees as an Identity Provider (IDP), all access to our production environments requires multiple additional factors including hardware tokens not provided by Okta. You can read our security trust post here.
Source code repositories should undergo periodic and systematic security assessments to ensure the confidentiality and integrity of the codebase. Developer and administrator access control audits, server and platform patching, and configuration reviews should be periodically performed to ensure that repositories are secure and that data is not lost or compromised.
Assumed-breach scenarios and red team exercises should be leveraged against your code repositories to assess the impact of a successful external attack. The feedback from such activities should be used to strengthen security posture, inform incident response capabilities, and prepare for real-life incidents such as one reported by Okta.
Consider the following with respect to securing your code repositories from compromise:
We are sharing our SOC playbook that organizations can leverage to perform assessment and response activities for this type of breach.
The Zscaler Security team has developed Security Operations Center (SOC) playbooks for identity (IDP) providers and Code Repositories such as GitHub. This playbook provides security analysts and researchers fast track access to threat identification and remediation at the user level. Suspicious behaviors trigger a security action workflow: for example, moving a user to a higher-access security group, changing multi-factor authentication methods, unauthorized access to our code repositories or other anomalous and potentially dangerous user behaviors.
A review of identity provider logs for indicators of compromise associated with this attack should include the following steps:
The process to enable Threat Detection for Identity Provider (IDP) like Okta using a SOC Playbook should be well-defined with specific workflows and actions. Okta has pre-built log ingestion modules for many of the common SIEM solutions. Once events are ingested, a number of queries can be created and easily leveraged for signs of a potential compromise or other suspicious activities. While they are not a comprehensive set of queries, they serve as a solid starting point for a security investigation.
Detection Name |
Detection Query |
MFA Deactivation Attempt |
event.dataset:okta.system and event.action:user.mfa.factor.deactivate |
MFA Reset Attempt |
event.dataset:okta.system and event.action:user.mfa.factor.reset_all |
MFA Push Brute Force Attempt |
sequence by user.email with maxspan=10m [any where event.module == "okta" and event.action == "user.mfa.okta_verify.deny_push"] [any where event.module == "okta" and event.action == "user.mfa.okta_verify.deny_push"] [any where event.module == "okta" and event.action == "user.authentication.sso"] |
MFA Bypass Attempt |
event.dataset:okta.system and event.action:user.mfa.attempt_bypass |
Account Login Brute Force Attempt |
event.dataset:okta.system and event.action:user.account.lock |
User Session Impersonation |
event.dataset:okta.system and event.action:user.session.impersonation.initiate |
Group Administrative Privilege Assignment |
event.dataset:okta.system and event.action:group.privilege.grant |
User Administrative Privilege Assignment |
event.dataset:okta.system and event.action:user.account.privilege.grant |
Policy Rule Modification |
event.dataset:okta.system and event.action:policy.rule.update |
Policy Rule Deletion |
event.dataset:okta.system and event.action:policy.rule.delete |
Policy Rule Deactivation |
event.dataset:okta.system and event.action:policy.rule.deactivate |
Similarly, you may want to monitor your Github logs for suspicious activity to ensure that a similar breach does not happen to your organization. Here are some suggested queries. Please refer to relevant MITRE ATT&CK TTPs for your code repositories.
Detection Name |
Detection Query |
Enterprise Owner added |
business.add_admin |
SAML SSO Disabled |
business.disable_saml |
2FA Disabled |
business.disable_two_factor_requirement |
Enterprise Admin Invited |
business.invite_admin |
Github Connect Created |
dotcom_connection.create |
Anonymous Git Access Enabled |
enterprise.config.enable_anonymous_git_access |
Git Push to Repo |
git.push |
Git Clone to Repo |
git.clone |
Migration Created |
migration.create |
Secret Keys Created |
oauth_application.generate_client_secret |
Forking to Private Repo Enabled |
private_repository_forking.enable |
User Public Key Created |
public_key.create |
Pull Request |
pull_request.create |
Repo Downloaded as Zip |
repo.download_zip |
Integration Created |
integration.create |
Following are some of the recommendations to enhance your security posture against similar scenarios involving your Identity Provider (IDP) and Source code repositories to protect your organization:
The Zscaler platform is built on a holistic zero trust architecture that offers defense-in-depth against supply chain and compromised user attacks, mitigating incidents such as this in the following ways:
About ThreatLabz
ThreatLabz is the security research arm of Zscaler. This world-class team is responsible for hunting new threats and ensuring that the thousands of organizations using the global Zscaler platform are always protected. In addition to malware research and behavioral analysis, team members are involved in the research and development of new prototype modules for advanced threat protection on the Zscaler platform, and regularly conduct internal security audits to ensure that Zscaler products and infrastructure meet security compliance standards. ThreatLabz regularly publishes in-depth analyses of new and emerging threats on its portal, research.zscaler.com.
By submitting the form, you are agreeing to our privacy policy.