Recently, 1Password, a popular password management solution detected suspicious activity on its Okta instance on September 29. This event followed a support system breach, but the company was swift to reassure its user base that no user data was compromised in the process.
Swift Action and No Compromise
Pedro Canahuati, the CTO of 1Password, stated in a Monday notice that, “We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing.” This prompt and effective response underscores the importance of a well-prepared security strategy.
Understanding the Breach
The breach unfolded when a member of the IT team inadvertently shared a HAR file with Okta Support. Subsequently, the threat actor exploited a session cookie and engaged in a series of actions:
1. Attempted Dashboard Access
The threat actor’s first move was an attempt to access the IT team member’s user dashboard, but Okta’s robust security measures promptly thwarted this endeavor.
2. Manipulating IDP
Next, the threat actor updated an existing IDP connected to 1Password’s production Google environment. This step had the potential to compromise critical systems.
3. Activation of IDP
The threat actor activated the manipulated IDP, increasing the stakes of the breach by establishing a foothold within the organization’s infrastructure.
4. Request for Administrative User Report
As part of their strategy, the threat actor requested a report of administrative users, which could have serious implications if successful.
Strengthening Security
In response to this incident, 1Password has taken several proactive measures to bolster its security posture. These include:
– Denying Logins from Non-Okta IDPs
To mitigate the risk of similar breaches, 1Password has opted to deny logins from non-Okta IDPs, thereby restricting access to authorized personnel.
– Reducing Session Times for Administrative Users
By reducing session times for administrative users, 1Password aims to minimize the window of opportunity for potential attackers.
– Enhanced Multi-Factor Authentication (MFA) Rules
To add an extra layer of defense, 1Password has tightened MFA rules for administrators, making it more challenging for unauthorized access attempts to succeed.
– Decreasing the Number of Super Administrators
In an effort to limit potential points of compromise, 1Password has taken steps to decrease the number of super administrators within its systems.
A Familiar Threat
1Password noted that this incident bears similarities to a known campaign where threat actors target super admin accounts. The attackers then seek to manipulate authentication flows and establish secondary identity providers to impersonate users within the affected organization. This emphasizes the importance of safeguarding super admin accounts from potential compromise.
A Larger Context
It’s essential to consider that the threat landscape evolves continuously. Okta had previously warned of social engineering attacks orchestrated by threat actors to obtain elevated administrator permissions. Whether this recent breach is connected to groups like Scattered Spider remains uncertain. Scattered Spider, also known as 0ktapus, Scatter Swine, or UNC3944, has a track record of targeting Okta using social engineering tactics to obtain elevated privileges.
Broader Implications
This incident follows Okta’s revelation that unidentified threat actors leveraged stolen credentials to infiltrate its support case management system and pilfer sensitive HAR files. These files can be weaponized to infiltrate the networks of Okta’s customers. Notably, the breach impacted about 1 percent of Okta’s customer base, with other affected companies, including BeyondTrust and Cloudflare.
