Lapsus$ Breaches Okta to Reach Customers’ Sensitive Data

Traced back to January of this year, Okta, a publicly traded identity and access management company announced yesterday that it has been impacted by a cyber-attack claimed by the data extortion group Lapsus$. Okta and Lapsus$ disagree regarding the success of the breach, while companies like Cloudflare and T-Mobile are addressing how they were affected as hundreds more are still learning how they were impacted. 

What happened?

Yesterday, Tuesday, March 22, Okta announced it had been hacked by the Lapsus$ group. Lapsus$ is well known for breaching high-profile companies, stealing sensitive data, and threatening to leak it if payments are not made. Lapsus$ gained access to the authentication firm’s internal systems and posted screenshots as proof of the successful infiltration to its telegram channel late on Monday. The group stated their target was not Okta databases but rather its customers. In the screenshots, Lapsus$ show they had control over an Okta internal administrative account and the company’s Slack channel for 2 months which Okta say they believe is related to a security incident earlier in the year. The scope of the breach is still unclear and more has yet to be learned. 

How did it happen?

On January 16, 2022, Okta identified an attempt to compromise a customer support engineer’s account belonging to a third-party provider. This incident, which opened a five-day-long window until Jan. 21, enabled Lapsus$ access to the support engineer’s laptop that has the authority to reset customer passwords. The images, later published on Twitter as well, showed the email address of an Okta employee who has “Superuser/Admin” privileges that allow access to support tickets, MFA resetting, password resets, and view users. 

What are the effects?

As mentioned, Lapsus$ is a well-known ransomware group that looks for as big a payout as possible. Okta’s breach is a classic scenario for the group as they maximize their profits by infiltrating one organization that supports thousands of other big and small players with sensitive data. With a global wide spread of 15,000 customers and more than 100 million registered users, who are all now on high alert, Okta claim only 2.5% have been impacted by the attackers. Their customers include companies such as Cloudflare, T-Mobile, FedEx, Coinbase, Grubhub. At this time, Okta says its service has not been breached and remains fully operational. 

Lapsus$ claims to have also breached Microsoft’s environment and gained access to development and collaboration platforms, where they continue to steal additional credentials for further use and also leaked 37 GB of source code of Microsoft projects. Although Lapsus$ emerged just several months ago, it has made its mark on victims including Samsung, Nvidia, Ubisoft, and some Latin American targets like Brazil’s Ministry of Health.  

What is being done about it?

Okta has released a statement on their website addressing the incident. The company assures that just like regular procedures, they alerted the third-party provider and terminated that user’s active Okta sessions and suspended that specific account. The 375 compromised customers (out of 15,000) have been identified and contacted directly. Okta announced and confirmed that its customers do not need to take any corrective actions at this time. 

What measures are being taken to prevent this in the future?

The Lapsus$ group has been stirring up noise over the last few months, attacking all kinds of organizations and creating chaos. Their recent behavior shows a shift in focus from only financial gain to creating a buzz to generate and build a reputation amongst their peers and friends. This means that a targeted company that wants to negotiate payment with Lapsus$ may be surprised to learn they will still leak their data regardless of agreed terms. The way in which Lapsus$ carries out their attacks shows how a single point of failure in security can go far and reach wide. Considering the steps being taken by the attackers, having all aspects of security covered such as monitoring to identify any anomalous behavior and threat intelligence to look out for leaks, is absolutely critical.

At the moment, all that can be done to prevent such events from repeating themselves in the future is to first recognize that everyone is a target, the only question is, are you a means to an end, or are you the end target. Starting with the basics like maintaining software updates and restricting users according to the principle of least privilege can sometimes halt an attacker in their steps.