Within 30 minutes of the support file upload there was an attempt to access the BeyondTrust Okta admin console as the BeyondTrust Okta administrator using an IP address in Malaysia linked to anonymizing proxy/VPN services.A BeyondTrust Okta administrator uploads a browser recording (HAR file) at the request of Okta support related to ongoing troubleshooting of a non-security related support issue.We saw no evidence of other irregular activity across all other privileged Okta users in Identity Security Insights, no evidence of other suspicious Okta accounts being created, and no evidence of any unusual activity in the targeted user’s account before this incident.īelow is the detailed timeline of events: We immediately disabled the backdoor user account and revoked the attacker’s access before the account could be used and preventing any further actions. ![]() Our own instance of BeyondTrust’s Identity Security Insights, and tailored detections from our security teams, alerted us to several aspects of the intrusion. Using the API, they created a backdoor user account using a naming convention like existing service accounts. API actions cannot be protected by policies in the same way as actual admin console access. BeyondTrust’s custom policies around admin console access initially blocked them, but they pivoted to using admin API actions authenticated with the stolen session cookie. Within 30 minutes of the administrator uploading the file to Okta’s support portal an attacker used the session cookie from this support ticket, attempting to perform actions in the BeyondTrust Okta environment. The Okta administrator’s account was protected with FIDO2 authentication, and policies within BeyondTrust’s Okta only allowed access to the admin console from managed devices with Okta Verify installed. The administrator complied with the request and generated a HAR file containing an API request and a session cookie which was uploaded to the Okta support portal. HAR files are HTTP archives that can be generated by a web browser to log interactions with a website, in this case used for debugging an issue with the site. On October 2 nd, 2023, an Okta support agent requested a BeyondTrust Okta administrator generate a HAR file to assist in resolving an ongoing support issue the administrator was working on. For BeyondTrust customers who leverage our Identity Security Insights product, we have also outlined the various detections that would alert you to this type of attack and recommendations to better control your attack surface and limit the possibility and impact of Okta-focused attacks. Again, while there was no exposure to BeyondTrust or our customers, we are sharing details of the attack to educate other Okta users and infosec professionals. Okta have now issued this statement confirming the breach that we detected nearly three weeks ago. Having received no acknowledgement from Okta of a possible breach, we persisted with escalations within Okta until October 19 th when Okta security leadership notified us that they had indeed experienced a breach and we were one of their affected customers. We raised our concerns of a breach to Okta on October 2 nd. The initial incident response indicated a possible compromise at Okta of either someone on their support team or someone in position to access customer support-related data. BeyondTrust’s own Identity Security Insights tool alerted the team of the attack, and they were able to block all access and verify that that attacker did not gain access to any systems. Custom policy controls blocked the attacker's initial activity, but limitations in Okta's security model allowed them to perform a few confined actions. The incident began when BeyondTrust security teams detected an attacker trying to access an in-house Okta administrator account using a valid session cookie stolen from Okta’s support system. ![]() The incident was the result of Okta’s support system being compromised which allowed an attacker to access sensitive files uploaded by their customers. We immediately detected and remediated the attack through our own Identity Security tools, resulting in no impact or exposure to BeyondTrust’s infrastructure or to our customers. On October 2 nd, 2023, the BeyondTrust security teams detected an identity-centric attack on an in-house Okta administrator account.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |