{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/network-zone/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Okta Identity Engine"],"_cs_severities":["medium"],"_cs_tags":["okta","network-zone","impact"],"_cs_type":"advisory","_cs_vendors":["Okta"],"content_html":"\u003cp\u003eOkta network zones define trusted network boundaries for user access. These zones are configured with specific IP address ranges and can be used to restrict access to applications and resources. When an Okta network zone is deactivated or deleted, it can indicate a malicious actor attempting to weaken security policies, potentially allowing unauthorized access from untrusted locations. This activity is relevant for defenders because it may signal a breach in progress or preparation for future attacks. Compromised administrator accounts are often used to make unauthorized configuration changes in SaaS platforms. This alert focuses on activity within the Okta platform itself.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an Okta administrator account, potentially through credential theft or phishing.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Okta administrative console.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the network zone configuration within the Okta admin console.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target network zone that restricts access to critical resources.\u003c/li\u003e\n\u003cli\u003eThe attacker deactivates the target network zone, effectively disabling its restrictions. Alternatively, the attacker deletes the network zone.\u003c/li\u003e\n\u003cli\u003eThe attacker may modify other security settings, such as MFA policies, to further weaken the security posture.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the relaxed network restrictions to access sensitive applications or data from previously unauthorized locations.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions, such as data exfiltration or lateral movement, using the compromised Okta session.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe deactivation or deletion of an Okta network zone can have serious consequences. It can lead to unauthorized access to sensitive applications and data, potentially resulting in data breaches, financial loss, and reputational damage. The impact is especially high if the affected network zone was protecting critical infrastructure or sensitive customer data. Depending on the scope of access granted, a single deactivated zone could expose data belonging to thousands of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Okta Network Zone Deactivated or Deleted\u0026rdquo; Sigma rule to your SIEM to detect this activity (logsource: okta, service: okta, eventType: zone.deactivate/zone.delete).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of network zone deactivation or deletion to determine if they were authorized changes.\u003c/li\u003e\n\u003cli\u003eReview Okta administrator account activity for signs of compromise, such as login attempts from unusual locations.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) for all Okta administrator accounts to prevent unauthorized access.\u003c/li\u003e\n\u003cli\u003eMonitor the Okta system logs for other suspicious configuration changes, such as modifications to MFA policies or application assignments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T18:22:00Z","date_published":"2024-01-26T18:22:00Z","id":"/briefs/2024-01-26-okta-network-zone-changes/","summary":"An Okta network zone was deactivated or deleted, potentially indicating malicious activity aimed at bypassing security controls.","title":"Okta Network Zone Deactivation or Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-26-okta-network-zone-changes/"}],"language":"en","title":"CraftedSignal Threat Feed — Network-Zone","version":"https://jsonfeed.org/version/1.1"}