Security leaders at BeyondTrust and Cloudflare remain confident the October breaches of their Okta environments were contained before the threat actor caused any damage to their systems or customers. But concerns about what the executives observed during those attacks linger, as do a host of unanswered questions.
Browser log files BeyondTrust and Cloudflare sent to Okta support staff included session tokens that a threat actor hijacked from an Okta support system administrator account. The threat actor used those sessions to access customers’ administrative accounts without authenticated logins, high-severity events that set off alarm bells at the companies.
While BeyondTrust, Cloudflare and 1Password detected and thwarted any threat actor damage, worries remain about how the attacks might have played out for other, less security-focused businesses. Okta last month said it has more than 18,400 business customers.
The almost three-week gap between BeyondTrust’s discovery of an attacker trying to access an in-house Okta administrator account and Okta’s disclosure that it was the source of the breach remains a point of concern.
The timeline between breaches of the Okta environments suggest its support system may have been compromised for weeks — 1Password identified an incident on Sept. 29 and a similar incident didn’t occur for Cloudflare until Oct. 18.
“I was very worried if they weren't coming and telling us that there's an issue that maybe there's something going on that they don't know about,” BeyondTrust CTO Marc Maiffret said. “Until they confirmed, I felt a little bit like a crazy person just trying to get some root cause understanding.”
Okta publicly confirmed a threat actor accessed a support system administrator account with a stolen credential on Oct. 20. The identity and access management provider has yet to disclose how or when the threat actor first gained access, how many customers are impacted or the extent of damage caused.
Okta has also yet to formally disclose the attack with the Securities and Exchange Commission. The company did not respond to multiple requests for comment.
Downstream victim worries
BeyondTrust and Cloudflare shared details about what they observed and how they defended their systems against further compromise because other impacted organizations may not have the same level of security expertise. Default controls would not alert an organization to this type of attack.
For Cloudflare, this alert first came in at 4 a.m. Eastern time on Oct. 18, Cloudflare CSO Grant Bourzikas told Cybersecurity Dive.
It is critical for organizations to assess their supply chain and third-party risk because it’s such a huge avenue for downstream attacks, according to Bourzikas.
“I have this ranked as the highest risk to the organization — access,” Bourzikas said.
The vast majority of breaches are caused by access or a foothold into an environment and organizations need to pay close attention to this risk and make sure they’re using the right controls, Bourzikas said.
“It's important that you protect, detect, and respond. But in this scenario, some of the controls we had were validation” of every point of access and changes made in the environment, Bourzikas said.
BeyondTrust and Cloudflare credited zero trust concepts and other non-default controls they had in place, including strict multifactor authentication mandates and detection tools, with minimizing the impact to their systems.
“It’s hard when you’re up against this sort of stuff because you have to get all this level of detail and nuance right and that’s just this one area of technology that we’re talking about, let alone everything else you might have,” Maiffret said.
Okta and other identity infrastructure “is as complex as all the stuff that it promised to simplify,” Maiffret said.
Okta’s lack of urgency, transparency
Okta CSO David Bradbury’s blog post about the intrusion of Okta’s support system offered few details about what happened and focused more on the need for customers to strip cookies and session tokens out of HTTP Archive files before sharing them with support staff.
Okta’s lack of transparency and urgency is what’s still nagging Bourzikas and Maiffret.
“If there’s a problem, immediately fix it with urgency and make sure that the problem goes away. These are things they can do,” Bourzikas said.
Okta is “a trusted provider of identity to some of the most critical organizations in the world" — it needs to show it’s taking this seriously by ensuring “there are no more breaches in this fashion,” Bourzikas said.
Cloudflare is evaluating its relationship with Okta as it is across all of its vendors to ensure defenses are bolstered for its customers, Bourzikas said.
Cloudflare is all to familiar with these risks, having avoided multiple attacks linked to Okta last year, including a breach of an Okta support engineer’s system in January 2022 and a phishing attack involving a spoofed Cloudflare Okta login page that three employees fell for in August 2022.
The security leaders at Cloudflare and BeyondTrust haven’t completely lost trust in Okta, but signs of strain are in full view in the wake of the latest attack. 1Password declined to answer questions and instead referred back to its blog post and incident report.
“The most important thing for everybody is just always to have transparency. It sucks for these things to happen but you can’t learn or grow from it unless you’re just being honest about what it is,” Maiffret said.
“We have all our same security worries like anybody else,” Maiffret said. “Just do the right thing, try to be as forthcoming as you can.”