Customers speak out over Okta’s response to latest breach

Cyber security companies BeyondTrust and Cloudflare have criticised identity and access management (IAM) specialist Okta after both became ensnared in yet another cyber attack against the latter’s systems.

BeyondTrust said it detected an identity-centric attack on an in-house Okta admin account on 2 October 2023, which used a valid session cookie stolen from Okta. It said that its own systems were able to cut the attacker off before there was any impact, but added that its supplier’s response had not been on the ball.

“On 2 October 2023, an Okta support agent requested a BeyondTrust Okta administrator generate a HAR file to assist in resolving an ongoing support issue the administrator was working on. HAR files are HTTP archives that can be generated by a web browser to log interactions with a website, in this case used for debugging an issue with the site,” said BeyondTrust.

“The administrator complied with the request and generated a HAR file containing an API request and a session cookie which was uploaded to the Okta support portal.

“Within 30 minutes of the administrator uploading the file to Okta’s support portal, an attacker used the session cookie from this support ticket, attempting to perform actions in the BeyondTrust Okta environment.”

BeyondTrust said its own admin console access policies blocked them, after which the threat actor tried to pivot to using admin API actions, which enabled them to create a backdoor user account. Now alerted to the activity, BeyondTrust was swiftly able to quash this before the intruder could get any further. It said it saw no evidence of other irregular activity across any other privileged Okta users. It added that the attempt apparently originated from an IP address in Malaysia known to be associated with VPN/anonymising proxy services.

It said that while its initial incident response clearly showed a compromise of an Okta customer support agent or someone in a position to access customer support data, it received no acknowledgement from its initial approach, and had to make repeated attempts to escalate until 19 October, 17 days later, when Okta notified it that it had been affected in a breach.

Speaking to Computer Weekly’s sister title TechTarget Security, BeyondTrust CTO Marc Maiffret lamented the sluggish response from Okta, that he attributed in part to the company’s teams being distracted by its Oktane user conference in the US, and said he had struggled to convince the supplier it had been compromised again.

“We didn’t get the sense at the beginning that they saw it as a plausible thing that it might be them. I wish that from the beginning they would have been more open to that as an idea. I was on the very last call that I had with them before they called to tell us something had happened. I was racking my brain because I started to feel a bit like a crazy person, like maybe we were missing something,” he said.

In a conversation with TechTarget editorial, Maiffret also alleged that there were discrepancies in the customer support logs he requested from Okta to review, which further dented his confidence.

Cloudflare, meanwhile, discovered it had been attacked on October 18 via the same method. It said it detected the account 24 hours before being informed by Okta, but that its own zero-trust architecture had prevented any downstream impact.

Citing BeyondTrust’s experience, Cloudflare called on its supplier to consider taking steps to shore up its internal security practices.

“We urge Okta to consider implementing the following best practices, including such as taking any report of compromise seriously and act immediately to limit damage – in this case, Okta was first notified on 2 October 2023 by BeyondTrust, but the attacker still had access to their support systems at least until 18 October 18,” it said in a blog post.

Cloudflare said Okta should also: “Provide timely, responsible disclosures to your customers when you identify that a breach of your systems has affected them; [and] require hardware keys to protect all systems, including third-party support providers.

“For a critical security service provider like Okta, we believe following these best practices is table stakes,” it said.

Okta CISO David Bradbury said: “Okta Security has identified adversarial activity that leveraged access to a stolen credential to access Okta’s support case management system.

“The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases. It should be noted that the Okta support case management system is separate from the production Okta service, which is fully operational and has not been impacted. In addition, the Auth0/CIC case management system is not impacted by this incident.

“Attacks such as this highlight the importance of remaining vigilant and being on the lookout for suspicious activity,” he said.

Bradbury said that Okta additionally recommended sanitising all credentials and cookies or session tokens within a HAR file before sharing it.

Commenting on the latest attack to befall Okta customers, Tyler Reese, Netwrix product management director, said that since the incident involved sensitive tokens in Okta’s possession, customers had no reasonable ability to proactively invalidate them, making additional defensive measures a must.

“The first set of defences should include strong, hardware-based authentication for privileged accounts, and operating from a trusted system. In cases documented by both BeyondTrust and Cloudflare, they were using hardware FIDO2 tokens that allowed the security teams to rule out potential credential breaches,” said Reese.

“The second set of defences should be robust auditing and detection of privileged accounts from the identity systems. It was mentioned in one of the reports that even with the use of FIDO2, the compromised token can still be used to execute privileged API calls. The attacker tried to create a privileged account disguised as a service account.”

Reese added: “With supply chain attacks in general, the biggest challenge is unpredictability: once a provider has been breached, it is difficult to know where the attacker will move with their privilege. If they are a software provider, they may look to introduce vulnerabilities into the software. If they are a financial services provider, they could look to exfiltrate data for extortion.

“The best that organisations can do is to adopt the concepts of the zero-trust approach which encourages monitoring, zero standing privileges, and strong posturing and integrity of an organisation's cyber assets.”