A threat actor accessed an Okta support system administrator account with a stolen credential, marking the second string of attacks to hit the identity and access management provider or its customers’ Okta environments since late July.
The threat actor viewed files containing sensitive data, which were uploaded by some customers as part of recent support cases, Okta CSO David Bradbury said Friday in a blog post.
Okta declined to say how many customers were impacted by the attack, which began about two months after four of its customers fell victim to social-engineering attacks that compromised the accounts of highly privileged users.
Weeks later, threat actors linked to the early September ransomware attack against MGM Resorts claimed to have accessed the hotel and gaming company’s Okta environment prior to the attack.
The identity-based attack was first discovered by BeyondTrust's security team, which shared concerns of a breach with Okta on Oct. 2. Okta’s security team didn’t meet with BeyondTrust, an Okta customer affected by the attack, until Oct. 11 and confirmed the internal breach on Thursday, BeyondTrust CTO Marc Maiffret said Friday in a blog post.
The gap between BeyondTrust’s discovery of an attacker trying to access an in-house Okta administrator account and Okta’s confirmation and disclosure suggests the threat actor had access to Okta’s support system for more than two weeks.
“Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens,” Bradbury said in the blog post.
Okta declined to answer specific questions and pointed back to Bradbury’s post on the incident.
Cloudflare was also impacted by the intrusion of Okta’s support system when a threat actor used an authentication token compromised at Okta to gain access to Cloudflare’s Okta environment.
Cloudflare contained the breach and confirmed no customer information or systems were impacted, the company said in a Friday blog post.
The content delivery network and cybersecurity firm avoided multiple attacks linked to Okta last year, including a breach of an Okta support engineer’s system in January 2022 and a phishing attack involving a spoofed Cloudflare Okta login page that three employees fell for in August 2022.
Cloudflare CSO Grant Bourzikas and other security staff at the company said they also contacted Okta about the Oct. 18 breach before Okta notified Cloudflare. “It appears that in our case, the threat actor was able to hijack a session token from a support ticket which was created by a Cloudflare employee,” Bourzikas and his colleagues said in the blog post.
“In this sophisticated attack, we observed that threat actors compromised two separate Cloudflare employee accounts within the Okta platform,” the blog post said. “We detected this activity internally more than 24 hours before we were notified of the breach by Okta.”
BeyondTrust’s investigation determined the threat actor accessed a session cookie from a support ticket containing sensitive information BeyondTrust uploaded to Okta’s support panel as part of an ongoing issue.
The threat actor attempted to perform actions in the BeyondTrust Okta environment within thirty minutes of the HTTP Archive file being uploaded, Maiffret said in the blog post.
A non-default security policy configuration blocked the threat actor’s access to the Okta console, but the attacker then used Okta’s admin API to create a backdoor user account, which was quickly disabled by BeyondTrust’s security team, according to Maiffret.
Okta said all impacted customers have been notified and Bradbury emphasized the support case management system is separate from the production Okta service environment, which is fully operational and not impacted.
Editor’s note: This story has been updated to include details Cloudflare shared about a breach of its Okta environment linked to this string of attacks.