blackboard - stock.adobe.com
1Password stops attack linked to Okta breach
1Password said a threat actor used a HAR file stolen in the recent Okta breach to access the password manager's Okta tenant, but the activity was detected and blocked.
1Password is the third customer to confirm that it was affected by an Okta support system breach that the vendor disclosed last week, but said no user data was accessed during the attempted attack.
On Friday, Okta disclosed that a threat actor hacked its support case management system using a set of stolen credentials and viewed recent customer support case HTTP Archive (HAR) files that contained session tokens an adversary would later hijack in attempts to gain account access. Okta did not address the attack scope, but three customers have emerged as of Monday.
First, BeyondTrust revealed that it initially detected and reported the breach to Okta on Oct. 2, though its CTO Marc Maiffret emphasized that it took time to convince Okta it was the source. Cloudflare also issued a disclosure on Friday that confirmed that it detected an Okta-related attack on Oct. 18.
On Monday, 1Password disclosed that it discovered threat activity on Sept. 29 and determined that the initial attack vector was Okta's support system breach. So far, all three companies confirmed that the attacks did not affect customers.
"The activity that we saw suggested they conducted initial reconnaissance with the intent to remain undetected for the purpose of gathering information for a more sophisticated attack," 1Password wrote in its security incident report.
According to the report, a threat actor abused a 1Password HAR file that contained session cookies and used the data to access the company's Okta administrative portal. The threat actor attempted to access the laptop of the IT support staff member who originally generated the HAR file and also requested a report of all administrative users, but both actions were blocked.
1Password CTO Pedro Canahuati shed light on the attack in a blog post Monday. He revealed that 1Password worked with Okta from Sept. 29 to Oct. 20, when it finally confirmed that the suspicious activity resulted from the support system breach.
The blog post also connected the support system breach to another security incident Okta disclosed on Aug. 31 that involved a wave of social engineering attacks.
"On September 29, 2023 a member of the IT team received an unexpected email notification suggesting they had initiated an Okta report containing a list of admins. They recognized that they hadn't initiated the admin report and alerted our security incident response team," the security incident report read. "Corroborating with Okta support, it was established that this incident shares similarities of a known campaign where threat actors will compromise super admin accounts, then attempt to manipulate authentication flows and establish a secondary identity provider to impersonate users within the affected organization."
The "known campaign" occurred between July 29 and Aug. 19 and compromised four Okta customers, including Caesars Entertainment. While Okta itself was not breached, a threat actor manipulated IT service desk personnel at targeted organizations and convinced them to reset all multifactor authentication factors to gain highly privileged roles in Okta accounts.
Okta's August disclosure and 1Password's recent disclosure both state that a threat actor set up their own identity provider (IdP) to connect to victims' Okta tenants. In the case of 1Password, a threat actor set up their own IdP on Google and attempted to connect it to 1Password's Okta tenant, but the attempt failed.
TechTarget Editorial asked 1Password for clarification regarding the recent attack and the August campaign, but a spokesperson said the company has "no evidence to confirm it's related to another incident." Okta did not respond to requests for comment at press time.
1Password said in the incident report that the attempted attack "highlights a number of security improvements" it will be prioritizing, though it did not specify any areas.
Arielle Waldman is a Boston-based reporter covering enterprise security news.