Popular password management solution 1Password said it detected suspicious activity on its Okta instance on September 29 following the support system breach, but reiterated that no user data was accessed.
“We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing,” Pedro Canahuati, 1Password CTO, said in a Monday notice.
The breach is said to have occurred using a session cookie after a member of the IT team shared a HAR file with Okta Support, with the threat actor performing the below set of actions –
- Attempted to access the IT team member’s user dashboard, but was blocked by Okta
- Updated an existing IDP tied to our production Google environment
- Activated the IDP
- Requested a report of administrative users
The company said it was alerted to the malicious activity after the IT team member received an email about the “requested” administrative user report.
1Password further said it has since taken a number of steps to bolster security by denying logins from non-Okta IDPs, reducing session times for administrative users, tighter multi-factor authentication (MFA) rules for admins, and decreasing the number of super administrators.
“Corroborating with Okta support, it was established that this incident shares similarities of a known campaign where threat actors will compromise super admin accounts, then attempt to manipulate authentication flows and establish a secondary identity provider to impersonate users within the affected organization,” 1Password said.
It’s worth pointing out that the identity services provider had previously warned of social engineering attacks orchestrated by threat actors to obtain elevated administrator permissions.
As of writing, it’s currently not known if the attacks have any connection to Scattered Spider (aka 0ktapus, Scatter Swine, or UNC3944), which has a track record of targeting Okta using social engineering attacks to obtain elevated privileges.
The development comes days after Okta revealed that unidentified threat actors leveraged a stolen credential to break into its support case management system and steal sensitive HAR files that can be used to infiltrate the networks of its customers.
The company told The Hacker News that the event impacted about 1 percent of its customer base. Some of the other customers who have been affected by the incident include BeyondTrust and Cloudflare.
“The activity that we saw suggested they conducted initial reconnaissance with the intent to remain undetected for the purpose of gathering information for a more sophisticated attack,” 1Password said.