Okta Inc., an authentication company used by thousands of organizations across the world, is at the center of a potential data breach caused by the data extortion group, Lapsus$. On March 21, 2022, the threat actor posted screen shots of the group’s operators inside Okta’s internal systems via Telegram. The screen shots also show Okta’s Slack channels, as well as another internal system with a Cloudflare interface.
The threat actors claim that they’ve had administrative access to Okta’s internal systems for two months. According to Okta’s public statement surrounding the alleged breach, they detected an attempt of an attacker trying to compromise the account of a third-party customer support engineer working for one of their sub-processors in late January 2022. Okta’s spokesperson, Chris Hollis, stated that the matter was investigated and contained.
Lapsus$ released a total of 8 photos on Telegram, which showed sensitive information and Okta user identities. However, despite evidence, Okta does not believe that the current screen shots are connected to today’s incident due to there being no evidence of ongoing malicious activity after Januarys attempted breach. The company believes that the breach is related to January 2022, but cyber security researcher, Bill Demikapi, believes that the published screen shots are credible. Other researchers believe that the breach is real as well and have advised Okta customers to remain vigilant. More than 15,000 customers use Okta’s authentication platform.
Image 1: Screenshot of Lapsus$ Telegram Message
In addition to Okta, Microsoft may have been hit by Lapsus$ as well. The threat actor claimed that they gained access to Microsoft’s internal systems on March 20, 2022, when they posted a screen shot of what appeared to be a Microsoft Azure DevOps account in their Telegram channel. Azure DevOps is a Microsoft product that allows developers to collaborate on projects. The screen shots posted have since been deleted but they included images of internal projects including Bing and Cortana’s source code, as well as WebXT compliance engineering projects. Lapsus$ stated that they contained 90% of the source code for Bing and 45% of the code for Bing Maps and Cortana. Cyber security researcher, Kevin Beaumont, stated that Microsoft had multiple code signing certificates leaked as well. Microsoft stated that they are aware of the threat actors’ claims, and they are investigating the matter.
Lapsus$ is also taking responsibility for breaching Samsung, Ubisoft, Impresa, and Nvidia. In February 2022, Lapsus$ attacked Nvidia and caused outages within their internal network, taking 1TB of schematics, driver and firmware code, documentation, and SDKs. Lapsus$ also leaked a 19GB archive of those files online. Lapsus$ also stole Nvidia’s driver signing certificate, which can be used to sign malware. Samsung’s breach involved the threat actor stealing internal company data – customer data was left untouched.
The threat actor is believed to be based in Brazil due to their previous history with Brazil’s Ministry of Health. Lapsus$’ goal is to steal as much data as they can and extort companies for money. How they accomplish their goal is a mystery. There isn’t evidence of the group using ransomware or data encryption to extort their victims, but the group has tried to recruit employees who work for the following companies: AT&T, Microsoft, Apple, EA, IBM, Claro, Telefonica, Atento, Telperformance, OVH, and Locaweb. Their Telegram recruitment post stated that they are looking for an employee who can provide them with “a VPN or CITRIX to the network” for the listed companies. Lapsus$ is also interested in non-employees who happen to have access to a VPN or VDI at any of those companies.
If Okta is in fact compromised, this could have devastating consequences for companies, government agencies, and universities that depend on Okta for user access to internal systems. Compromising Okta means that the threat actors can carry out malicious actions in Okta’s apps. Okta maintained in an updated official statement that Okta has not been breached, remains fully operational, and that there are “no corrective actions that need to be taken by our customers.”
At this time, there are no known IoCs associated with Lapsus$. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, reach out to your Avertium Service Delivery Manager or Account Executive.
Red Canary/Knoll – March 2022 - "On March 22, an adversary known as Lapsus$ posted screenshots to Telegram claiming to have compromised systems used by Okta, a widely used identity verification platform. According to a screenshot published by researchers, Lapsus$ claimed…"