Overview
Okta Inc., an authentication company used by thousands of organizations across the world, is at the center of a potential data breach caused by the data extortion group, Lapsus$. On March 21, 2022, the threat actor posted screen shots of the group’s operators inside Okta’s internal systems via Telegram. The screen shots also show Okta’s Slack channels, as well as another internal system with a Cloudflare interface.
The threat actors claim that they’ve had administrative access to Okta’s internal systems for two months. According to Okta’s public statement surrounding the alleged breach, they detected an attempt of an attacker trying to compromise the account of a third-party customer support engineer working for one of their sub-processors in late January 2022. Okta’s spokesperson, Chris Hollis, stated that the matter was investigated and contained.
Lapsus$ released a total of 8 photos on Telegram, which showed sensitive information and Okta user identities. However, despite evidence, Okta does not believe that the current screen shots are connected to today’s incident due to there being no evidence of ongoing malicious activity after Januarys attempted breach. The company believes that the breach is related to January 2022, but cyber security researcher, Bill Demikapi, believes that the published screen shots are credible. Other researchers believe that the breach is real as well and have advised Okta customers to remain vigilant. More than 15,000 customers use Okta’s authentication platform.
Image 1: Screenshot of Lapsus$ Telegram Message
.png?width=521&name=MicrosoftTeams-image%20(10).png)
Source: Telegram
In addition to Okta, Microsoft may have been hit by Lapsus$ as well. The threat actor claimed that they gained access to Microsoft’s internal systems on March 20, 2022, when they posted a screen shot of what appeared to be a Microsoft Azure DevOps account in their Telegram channel. Azure DevOps is a Microsoft product that allows developers to collaborate on projects. The screen shots posted have since been deleted but they included images of internal projects including Bing and Cortana’s source code, as well as WebXT compliance engineering projects. Lapsus$ stated that they contained 90% of the source code for Bing and 45% of the code for Bing Maps and Cortana. Cyber security researcher, Kevin Beaumont, stated that Microsoft had multiple code signing certificates leaked as well. Microsoft stated that they are aware of the threat actors’ claims, and they are investigating the matter.
Lapsus$ is also taking responsibility for breaching Samsung, Ubisoft, Impresa, and Nvidia. In February 2022, Lapsus$ attacked Nvidia and caused outages within their internal network, taking 1TB of schematics, driver and firmware code, documentation, and SDKs. Lapsus$ also leaked a 19GB archive of those files online. Lapsus$ also stole Nvidia’s driver signing certificate, which can be used to sign malware. Samsung’s breach involved the threat actor stealing internal company data – customer data was left untouched.
The threat actor is believed to be based in Brazil due to their previous history with Brazil’s Ministry of Health. Lapsus$’ goal is to steal as much data as they can and extort companies for money. How they accomplish their goal is a mystery. There isn’t evidence of the group using ransomware or data encryption to extort their victims, but the group has tried to recruit employees who work for the following companies: AT&T, Microsoft, Apple, EA, IBM, Claro, Telefonica, Atento, Telperformance, OVH, and Locaweb. Their Telegram recruitment post stated that they are looking for an employee who can provide them with “a VPN or CITRIX to the network” for the listed companies. Lapsus$ is also interested in non-employees who happen to have access to a VPN or VDI at any of those companies.
If Okta is in fact compromised, this could have devastating consequences for companies, government agencies, and universities that depend on Okta for user access to internal systems. Compromising Okta means that the threat actors can carry out malicious actions in Okta’s apps. Okta maintained in an updated official statement that Okta has not been breached, remains fully operational, and that there are “no corrective actions that need to be taken by our customers.”
How Avertium is Protecting Our Customers:
- Avertium offers security consulting services to develop robust internal security policies.
- Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills.
- Avertium offers Zero Trust Architecture, like AppGate, to stop malware lateral movement.
- Implement XDR as a prevention method. Our XDR is a combination of monitoring software like LogRhythm, Microsoft Azure Sentinel, or AlienVault, combined with endpoint protection such as SentinelOne. XDR platforms enable cybersecurity through a technology focus by collecting, correlating, and analyzing event data from any source on the network. This includes endpoints, applications, network devices, and user interactions.
Avertium's recommendations
- Because the status of Okta’s breach remains unclear, your organization should watch and safeguard all Okta logs, looking for anything that may be suspicious.
- While investigating, disable the Okta support access to ensure threat actors are not granted super admin access.
- Audit your inventory by reviewing third-party vendor and contractor account access and permissions.
- Okta passwords should be changed immediately.
- Okta will more than likely send out emails to their customers regarding the breach. Check your email frequently to stay informed.
- Monitor your employees’ morale and intentions to reduce the risk of insider threats.
INDICATOR'S OF COMPROMISE (IOCS):
At this time, there are no known IoCs associated with Lapsus$. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, reach out to your Avertium Service Delivery Manager or Account Executive.
Supporting documentation
Updated Okta Statement on LAPSUS$ | Okta
Microsoft may have been hit by the same hackers who went after NVIDIA | Windows Central
Okta hack puts thousands of businesses on high alert - The Verge
Samsung Confirms Lapsus$ Ransomware Hit, Source Code Leak | Threatpost
https://twitter.com/toddmckinnon/status/1506184722786885633?s=20&t=slIQXTSQVCLAhVF6Sqg-pA
https://www.csoonline.com/article/3652694/nvidia-hackers-release-code-signing-certificates-that-malware-can-abuse.html
Okta Breach Mitigation and Updates - Security Boulevard
Okta breach: Authentication firm probes hacking claim from LAPSUS$ - CNN
Microsoft investigates Lapsus$ claim of Bing, Cortana theft • The Register
Okta Official Statement on LAPSUS$ Claims | Okta
Microsoft Investigating Claim of Breach by Extortion Gang (vice.com)
Authentication firm Okta probes report of digital breach | Reuters
Red Canary/Knoll – March 2022 - "On March 22, an adversary known as Lapsus$ posted screenshots to Telegram claiming to have compromised systems used by Okta, a widely used identity verification platform. According to a screenshot published by researchers, Lapsus$ claimed…"
Related Reading:
An In-Depth Look at Conti's Leaked Log Chats
Contact us for more information about Avertium’s managed security service capabilities.