1Password confirms attacker tried to pull list of admin users after Okta intrusion

Trending 1 month ago

1Password is confirming it was attacked by cyber criminals aft Okta was breached for nan 2nd clip successful arsenic galore years, but says customers' login specifications are safe.

The outfit said nan onslaught was initially detected connected September 29 by a personnel of 1Password's IT squad aft they received an email indicating that they had ordered a study including a database of each 1Password admins.

Knowing they didn't bid this report, nan company's incident consequence squad was quickly engaged. They recovered a suspicious IP reside and later realized nan chartless attacker accessed nan company's Okta lawsuit pinch admin privileges.

The investigation recovered nary grounds of information exfiltration aliases entree of immoderate systems extracurricular of Okta. Attackers were alternatively observed attempting to "lay low" and scout for intelligence that mightiness later lead to a bigger, much blase attack.

"We instantly terminated nan activity, investigated, and recovered nary discuss of personification information aliases different delicate systems, either employee-facing aliases user-facing," said Pedro Canahuati, CTO astatine 1Password, successful a blog post.

Before being removed from nan network, nan attacker performed actions including:

  • Attempted entree to nan 1Password IT staffer's personification dashboard (Okta blocked this)
  • Updated an existing personality supplier (IDP) tied to 1Password's Google accumulation situation to impersonate nan company's users
  • Activated that IDP
  • Requested a study of each admin users

How nan 1Password onslaught unfolded

The onslaught connected 1Password began successful nan aforesaid measurement arsenic others person successful this caller campaign, pinch nan attacker accessing a HTTP Archive (HAR) record uploaded to Okta's customer support portal.

Uploading HAR files to Okta's customer support portal is communal believe erstwhile Okta support is engaged pinch a customer. 

Inside this HAR record was accusation astir nan postulation to and from Okta's servers from nan IT squad member's browser, but besides wrong it is different information for illustration nan convention cookie.

At immoderate constituent aft 1Password engaged Okta's support and earlier nan support supplier interacted pinch nan HAR file, an attacker was capable to entree it and usage nan convention to entree Okta's admin portal, according to nan incident consequence report.

"It is not known really nan character gained entree to this session, though it has been confirmed that nan generated HAR record contained nan basal accusation for an attacker to hijack nan user's session," nan study read.

"This was confirmed by IT creating a HAR file, and Security utilizing Burp Suite to unit nan browser to usage nan convention cookies captured successful nan HAR record to reproduce nan events of nan incident."

Originally, location was immoderate disorder complete really this was carried out. Initial investigations focused connected Okta's broadside but logs revealed that nan attackers' actions each occurred earlier nan Okta support supplier accessed nan HAR file, eliminating nan anticipation of location being a rogue support staffer.

Then attraction turned to nan 1Password IT worker who uploaded nan HAR record complete a nationalist Wi-Fi web astatine a hotel, but this avenue besides proved fruitless.

"Based connected an study of really nan record was created and uploaded, Okta's usage of TLS and HSTS, and nan anterior usage of nan aforesaid browser to entree Okta, it is believed that location was nary model successful which this information could person been exposed to nan Wi-Fi network, aliases different taxable to interception."

Finally, nan IT staffer's macOS instrumentality was scanned for malware but showed nary motion of immoderate nasty activity, neither connected their instrumentality nor connected their personification accounts. 

The main suspicion continued to beryllium malware until past week erstwhile Okta publicized nan issues it was facing pinch a number of its customers, including 1Password. The attacker was capable to discuss Okta's soul support systems, which is really they were capable to entree nan 1Password IT squad member's HAR record aft they sent it to Okta support.

After terminating nan intrusion, nan IT squad member's credentials were rotated and their Yubikey was nan only measurement to complete MFA safeguards. 

A number of configuration changes were besides made to nan company's Okta instance, including nan tightening of MFA rules, reducing admin convention times and nan number of ace admin accounts, and denying logins from non-Okta IDPs.

Another Okta nightmare

1Password joins BeyondTrust and Cloudflare successful nan database of high-profile customers to person mitigated attacks brought connected by Okta's issues.

Cloudflare was speedy to item that it's nan 2nd clip information failings astatine Okta person led to attacks connected nan web capacity and information company.

In March 2022 it was revealed that during a five-day window, a Lapsus$ attacker had distant entree to an Okta support engineer's machine but Cloudflare recovered nary grounds of existent discuss of its Okta tenant.

At nan time, according to screenshots posted by nan attackers, their level of entree suggested they had nan powerfulness to alteration customers' user's passwords, but it wouldn't person impacted Cloudflare since it uses a operation of passwords and hardware keys for MFA.

Similar to nan 1Password case, a Cloudflare convention token was hijacked aft it was created pinch Okta support. Cloudflare said it was capable to observe and mitigate nan intrusion of its Okta lawsuit much than 24 hours earlier Okta notified it.

  • After six days and thousands of pwned users, Cisco poised to spot IOS XE flaw
  • Casino elephantine Caesars tells thousands: Yup, ransomware crooks stole your data
  • Go to information school, GoTo – theft of encryption keys shows you request it
  • LastPass admits attackers person a transcript of customers' password vaults

It was a akin communicative astatine BeyondTrust: Stolen convention token, contiguous discovery and remediation, seemingly knew astir it earlier Okta did.

"We raised our concerns of a breach to Okta connected October 2nd," BeyondTrust said successful its disclosure. 

"Having received nary acknowledgment from Okta of a imaginable breach, we persisted pinch escalations wrong Okta until October 19th erstwhile Okta information activity notified america that they had so knowledgeable a breach and we were 1 of their affected customers.

Okta confirmed successful its October 20 disclosure that each customers that were impacted by nan incident person been notified.

"Okta has worked pinch impacted customers to investigate, and has taken measures to protect our customers, including nan revocation of embedded convention tokens," it said. 

"In general, Okta recommends sanitizing each credentials and cookies/session tokens wrong a HAR record earlier sharing it. 

"Attacks specified arsenic this item nan value of remaining vigilant and being connected nan lookout for suspicious activity." ®