1Password also affected by Okta Support System breach

Following in the footsteps of BeyondTrust and CloudFlare, 1Password has revealed that it has been affected by the Okta Support System breach.

“On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps,” said 1Password’s CTO Pedro Canahuati.

“We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing.”

The Okta Support System breach

David Bradbury, Chief Security Officer at Okta, disclosed last Friday that an attacker has “leveraged access to a stolen credential to access Okta’s support case management system” and “view files uploaded by certain Okta customers as part of recent support cases.”

The files in question are HTTP Archive (HAR) files, which are generated by web browsers to log interactions with a website. Okta’s support team asks customers to share these files so they can troubleshoot issues by replicating browser activity.

“HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users,” he explained.

Bradbury says that the production Okta service and the company’s Auth0/CIC case management system have not been impacted, and that the company notified all customers that were impacted by this.

BeyondTrust and Cloudflare

Soon after Okta’s announcement, BeyondTrust and Cloudflare confirmed that they were among the customers affected by the breach. Both companies revealed that they detected attacker activity before getting notified by Okta.

“On October 2nd, 2023, the BeyondTrust security teams detected an identity-centric attack on an in-house Okta administrator account,” said Marc Maiffret, CTO at BeyondTrust.

“The initial incident response indicated a possible compromise at Okta of either someone on their support team or someone in position to access customer support-related data.”

They raised their concerns of a breach to Okta on the same day, but it took 17 days for Okta security leadership to notify them of the breach and the fact that they were one of their affected customers.

The attacker used the session cookie from this support ticket to attempt to:

• Access the BeyondTrust Okta admin console (and was blocked)
• Generate a password health report using the API of the Okta admin console
• Gain access to main Okta dashboard (denied)

The threat actor succeeded in using Okta’s official API to create a fake service account, but the company’s security team immediately disabled it and revoked the attacker’s access before the account could be used and preventing any further actions.

“We saw no evidence of other irregular activity across all other privileged Okta users in Identity Security Insights, no evidence of other suspicious Okta accounts being created, and no evidence of any unusual activity in the targeted user’s account before this incident,” Maiffret added.

Cloudflare’s engineers and CSO Grant Bourzikas said that they discovered attacks on their system on Wednesday, October 18, 2023.

“The attacker used an open session from Okta, with Administrative privileges, and accessed our Okta instance,” they explained.

The threat actor compromised two separate Cloudflare employee accounts within the Okta platform, but the company’s security team cut their access before they were able to establish persistence.

They also pointed out that this is the second time Cloudflare has been impacted by a breach of Okta’s systems.

The first one happened in early 2022, but threat actors couldn’t access Cloudflare systems or data because the company uses of hardware keys for multi-factor authentication (MFA). (The use of phishing-resistant MFA also helped Cloudflare avoid getting breached by phishers later that same year.)

“The key to mitigating this week’s incident was our team’s early detection and immediate response,” the Cloudflare team said.

1Password

In the run-up to the attack, a member of the 1Password IT team shared a HAR file with Okta support, the company explained in an internal incident report they shared with the public.

In the early morning hours of September 29, 2023, the threat actor used the same Okta session that was used to create the HAR file to access the Okta administrative portal.

The attacker then tried to access the IT team member’s user dashboard (and was blocked by Okta), updated an existing IDP (identity provider) tied to 1Password’s production Google environment and activated it, and requested a report of administrative users.

“The final action in that list resulted in an email being sent to the member of the IT team and alerted them to this event. At this point it is known that the unknown actor performed other less sensitive actions (such as viewing groups) that did not result in log entries; Okta is working to pull log entries for these actions for us to review,” they added.

1Password’s security team removed the Google IDP that the attacker enabled, so they couldn’t use it when they returned on October 2.

“In both cases, the actor accessed Okta via a server hosted by LeaseWeb in the US, and used a very similar and older version of Chrome (though different operating systems). It is unknown if the actor possesses valid Google account credentials that would have allowed them to complete a login via this IDP.”

They noted that they found no compromise of user data or other sensitive systems in their follow-up investigation.

1Password’s incident report reveals how the company traced the attempted breach back to a compromise of Okta’s Support System.

Advice for Okta customers

Okta, BeyondTrust and CloudFlare have shared indicators of compromise and detections that can help other companies check for evidence of these specific attacks. They’ve also shared helpful insights and recommended security posture improvements.

Okta says that all customers who were impacted have been notified and urged all customers to sanitize credentials and cookies/session tokens within HAR files before sharing it with Okta’s support team.

“Modern identity-based attacks can be complex, and as this attack shows, can originate from environments outside your own.

BeyondTrust’s CTO Maiffret noted that while good specific policies and internal controls to limit things like how HAR files are shared are necessary, defense in depth is important to spot and block modern identity-based attacks.

“The failure of a single control or process should not result in breach. Here, multiple layers of controls — e.g. Okta sign on controls, identity security monitoring, and so on, prevented a breach,” he pointed out.

UPDATE (October 30, 2023, 04:40 a.m. ET):

In the wake of the breach, Cloudflare has created and made available for everyone HAR File Sanitizer, a tool that removes sensitive content from HAR files so they can be safely shared with support teams.