Identity & Access Management
                                                    ,
                                                            Incident & Breach Response
                                                    ,
                                                            Security Operations
                                                    
                    BeyondTrust Says It Took Okta Nearly 3 Weeks to Confirm Breach It First Spotted
                

A breach of Okta’s support case management system using a stolen credential allowed attackers to access sensitive files uploaded by the identity security giant’s customers.
See Also: Defending Against the Rising Tide of Fraud: Resilience Strategies for Businesses
The San Francisco-based company said the threat actor could view files uploaded by some customers as part of recent support cases, Okta Chief Security Officer David Bradbury wrote in a blog post Friday. Privileged access management firm BeyondTrust, an Okta client, first raised concerns about a breach Oct. 2 but didn’t receive any notice that a compromise had occurred until Thursday.
“Modern identity-based attacks can be complex, and as this attack shows, can originate from environments outside your own,” BeyondTrust Chief Technology Officer Marc Maiffret wrote in a blog post Friday. “Defense in depth is important though. The failure of a single control or process should not result in a breach.”
Okta’s stock fell $9.89 – or 11.57% – to $75.57 per share in trading Friday, which is the lowest the firm’s stock has traded since Aug. 30. Okta’s breach was first reported Friday by Krebs on Security and followed by the publication of blogs from Bradbury and Maiffret. The news comes a month after Reuters said hackers had breached Okta software at MGM and Caesars and broken into systems at three other companies (see: MGM Resorts Says Hotels ‘Operating Normally’ After Attack).
Bradbury said Okta support will ask customers during normal business to upload an HTTP Archive file, which allows for troubleshooting by replicating browser activity. The files contain cookies and session tokens that malicious actors can use to impersonate valid users. Okta has worked with affected customers to investigate and has revoked embedded session tokens for customers.
“Attacks such as this highlight the importance of remaining vigilant and being on the lookout for suspicious activity,” Bradbury wrote in the blog post. “In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR [HTTP Archive] file before sharing it.”
BeyondTrust Details Disclosure Delays by Okta
BeyondTrust security teams on Oct. 2 saw an attacker trying to access an in-house Okta administrator account using a valid session cookie stolen from Okta’s support system, according to Maiffret. The initial incident response indicated a possible compromise at Okta – by either someone on the support team or someone in a position to access customer support-related data. That prompted BeyondTrust to contact Okta (see: BeyondTrust CEO on Merging Privileged, Infrastructure Access).
Maiffret said BeyondTrust had asked Okta support on Oct. 3 to escalate the incident to Okta’s security team, given initial forensics pointing to a compromise within Okta’s support organization and concern that other Okta customers might be exposed. Okta didn’t provide any information about a known compromise or ongoing security incident at that time, according to Maiffret.
Then on Oct. 11, BeyondTrust met over Zoom with a member of Okta’s information security team to share its findings and request additional log data related to support case data access. Two days later, BeyondTrust received support logs from Okta that contained several discrepancies, prompting a request for more detailed logs related to the discrepancies given other Okta customers were likely affected.
Finally on Thursday, Maiffret said, Okta’s security leadership called to confirm there had in fact been a breach and that BeyondTrust was one of the customers exposed. Maiffret said customer policy controls blocked the attacker’s initial activity, but limitations in Okta’s security models allowed them to perform a few confined actions. BeyondTrust subsequently verified that the attacker had not gained access to its systems.
“BeyondTrust would like to thank Okta for working with us to protect mutual customers,” Maiffret wrote. “We appreciate their transparency in reporting this breach, notifying affected customers, and highlighting further investigative steps.”
Okta Deputy CISO Charlotte Wylie told Krebs on Security that Okta initially had believed that BeyondTrust’s Oct. 2 alert didn’t result from a breach of its systems. By Tuesday, Wylie said, Okta had identified and contained the incident, though she declined to answer questions about how long the intruder may have had access to the company’s case management account. Okta believes the adversary is one it has seen before.
“This is a known threat actor that we believe has targeted us and Okta-specific customers,” Wylie told Krebs on Security. Okta didn’t immediately respond to an Information Security Media Group request for comment on BeyondTrust’s blog post.
