Security researchers on Thursday said while yesterday’s disclosure by Okta that its GitHub repositories were accessed are unrelated to two other attacks this year, it does raise concerns that all of these breaches may be a part of a larger event and could foreshadow a significant supply chain attack for organizations reliant upon Okta for identity and access services.
“This continues an awful year for Okta in terms of cybersecurity, adding to high-profile issues in March and September,” said Craig Burland, chief information officer at Inversion6.
Burland said as an Okta customer, he would ask three questions: Is there a fundamental problem with how Okta is managing its environments? Has the Okta platform been somehow compromised that would threaten my operation? What, if anything, can I do quickly to minimize or mitigate the risk to my organization?
“How Okta responds to this event and reassures its customers will set the tone for 2023 and may be telling about Okta’s future as the premier provider in this space,” said Burland.
In a public statement, Okta said the incident caused no impact to any customers, including any HIPAA, FedRAMP or DoD customers. The company maintains no action is required by customers.
Okta explained that in early December 2022, GitHub told them about possible suspicious access to Okta code repositories. Upon investigation, Okta concluded that such access was used to copy Okta code repositories.
“Our investigation concluded that there was no unauthorized access to the Okta service, and no unauthorized access to customer data,” said Okta. “Okta does not rely on the confidentiality of its source code for the security of its services. The Okta service remains fully operational and secure. As soon as Okta learned of the possible suspicious access, we promptly placed temporary restrictions on access to Okta GitHub repositories and suspended all GitHub integrations with third-party applications.”
Zaid Al Hamami, founder and CEO at BoostSecurity, said there’s “always a possibility” these events could be a part of a broader supply chain attack. Al Hamami said source code may contain vulnerabilities and/or tokens that have not been found prior, or were left in the code to be resolved later.
“Experienced attackers may try to take advantage of those vulnerabilities to attack the service directly,” said Al Hamami. “On the supply chain front, attackers may uncover details about how the service is built, tested, and deployed. For example the attackers could learn about individual packages that make their way into the building of the Okta service, and try to target those as a way to compromise the build chain. The same applies for the configuration and components used in the various steps of their software supply chain.”