Okta, an authentication services provider, is investigating a potential customer data breach after the hacker group Lapsus$ posted screenshots on Tuesday, March 22 of what appeared to be Okta’s internal environment on Telegram.
Oh man, if this it what it looks (Okta got popped)… Blue Team everywhere is gonna be crazy busy. pic.twitter.com/PY4dIzfwvM
— _MG_ (@_MG_) March 22, 2022
According to the Lapsus$ post, the group acquired superuser or admin access to Okta’s environment. The group included a screenshot of a hacker resetting the password for a Cloudflare Security Reliability Engineer to show their level of access.
Todd McKinnon, CEO of Okta, responded to the potential breach via Twitter, claiming that the incident was related to a contained breach in late January 2022.
In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. (1 of 2)
— Todd McKinnon (@toddmckinnon) March 22, 2022
“Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January,” McKinnon tweeted.
Update 3/22/22 @ 3:30 PM ET: According to Okta, an attacker had access to a support engineer’s laptop between January 16-21, 2022. However, the company assured that it has not been breached and remains fully operational, and that Okta customers do not need to take any further actions.
What Is Lapsus$?
Lapsus$ is a hacking group known for extorting companies and leaking data. Over the last few months, they have released data from NVIDIA and Microsoft after attempting extortion. Lapsus$ has confirmed attacks against Samsung, Vodafone, Ubisoft and more high profile targets as well.
In many cases, Lapsus$ has been recruiting employees and insiders at companies to gain access into environments and steal data. This adds another layer of complexity for organizations in determining their attack surface exposures.
How Bad is This?
Okta has hundreds of thousands of users on their platform, including major enterprise customers such as JetBlue, T Mobile, FedEx, and Major League Baseball (MLB).
A confirmed breach could potentially compromise those customer accounts.
What Should I Do?
If you are running Okta, review your Okta system and audit logs for anomalous administrative actions and access within your environment. Shut off Okta support access if you previously enabled it to prevent third-party contractors from accessing your account, as seen in the Lapsus$ hack.
It’s also worth taking this opportunity to review third-party solutions that you are running in the cloud. A large company is not necessarily secure; it depends how that vendor allows your data to be accessed. Reach out to your customer success managers to determine if there is unnecessary access by third parties into your environments as was seen within the Okta hack.
The Importance of Logging
When a threat actor uses stolen credentials to breach your environment, having visibility into your environment is crucial. A security information and event management (SIEM) platform can correlate data, including data from authentication providers such as Okta, and alert on suspicious activity.
If a threat actor like Lapsus$ uses credentials to pivot into an environment, it’s important to look at endpoint logs to detect suspicious behavior — for example, downloading large amounts of data, logging in from infrequently used countries, or mass changing file permissions. A threat detection and response platform eliminates the need to look at raw logs and alerts you about suspicious behavior.
Retaining logs is especially important for incident response, allowing teams to go back and connect the dots to determine how an attacker infiltrated the environment and what systems are compromised.
Try Blumira For Free
Blumira’s cloud SIEM detects and alerts you about suspicious behavior in your environment so that you can stop an incident early enough to prevent damage. Each finding we send is accompanied with a security playbook, giving you clear recommendations on how to remediate an attack. Our support team of security analysts is always available to answer questions on how to interpret a finding, or for other security help.
Blumira’s free trial is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.