BeyondTrust Discloses Limited Impact from Okta Incident

Category: Threat Actor Activity | Industry: Technology | Sources: BeyondTrust, Cloudflare, Okta & 1Password

BeyondTrust, an identity security platform, has disclosed it was affected in the security incident recently announced by Okta on October 20th, 2023. This incident occurred against BeyondTrust on October 2nd, 2023, during a legitimate customer support interaction, where BeyondTrust submitted an HTTP Archive (HAR) file to Okta, a file type known to contain sensitive data like cookies and session tokens; just as Okta had explained in their advisory. It was identified within 30 minutes of the data submission, that a threat actor had compromised the HAR file and utilized the session token. However, BeyondTrust's security controls played a pivotal role in mitigating the situation. As Chief Technology Officer Marc Maiffret explains in a blog post, the "Okta administrator’s account was protected with FIDO2 authentication, and policies within BeyondTrust’s Okta only allowed access to the admin console from managed devices with Okta Verify installed."

This strict security setup limited the attacker to executing admin API actions aimed at creating a backdoor user account, all while adhering to a naming convention similar to existing service accounts. BeyondTrust's swift identification of the incident enabled them to disable this rogue user account, effectively revoking the attacker's access. Recognizing the need for further intervention, BeyondTrust escalated the matter on October 3rd, to Okta as their investigation excluded the possibility of the compromise originating from within their system. Okta initiated contact with BeyondTrust on October 11th and subsequently identified the problem, ultimately reaching out to impacted customers on October 19th. Okta then released their recent advisory on October 20th, 2023. Okta's advisory did not shed light on the initial access method utilized by the threat actors.

1Password, and Cloudflare, also report limited impacts stemming from similar compromises. This incident dates back to September 29th, 2023, making 1Password the earliest known victim, followed by BeyondTrust on October 2nd and Cloudflare on October 18th. What sets these organizations apart is their robust implementation of multi-factor authentication (MFA) measures, with Cloudflare opting for hardware tokens and BeyondTrust mandating Okta Verify along with other security controls. This timeline and shared approach to MFA illustrate how organizations can fortify their security posture in the face of evolving threats.