Attackers purportedly said ‘focus was only on Okta customers’

Okta investigates LAPSUS gang's compromise claims

UPDATED Okta, the authentication and identity management giant, is investigating claims supposedly made by malicious hackers that they compromised its internal environment with the intention of targeting Okta customers.

LAPSUS$, a ransomware gang first identified in December 2021, has claimed to have achieved ‘superuser’ access to, according to screenshots circulating on Twitter today (March 22).

“For a service that powers authentication systems to many of the largest corporations (and FedRAMP approved) I think these security measures are pretty poor,” reads a message shown in the screenshots.

“Before people start asking: we did not access/steal any databases from Okta – our focus was only on Okta customers,” it continued.

The screenshots also appear to show that the attackers had access to a raft of enterprise accounts, including Jira, AWS, Salesforce, Zoom, Google Workspace, and Confluence within the targeted environment.

San Francisco-based Okta provides Single Sign-On (SSO), multi-factor authentication (MFA), and related services for more than 15,000 customers.

‘Window of time’

Okta said in a statement issued on Tuesday (March 22) that it believed the screenshots were related to an attempt, detected in January, “to compromise the account of a third party customer support engineer working for one of our subprocessors". It added that the incident had been contained and it had seen "no evidence of ongoing malicious activity beyond the activity detected in January”.

However, later on the same day Okta CSO David Bradbury issued a further statement admitting that “approximately 2.5%” of Okta’s customers “have potentially been impacted and whose data may have been viewed or acted upon”.

Those customers were being alerted by Okta but did not need to take any “corrective actions”, he added.

A report provided by a forensics firm this week, Bradbury continued, had “highlighted that there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop”.

Bradbury said the attacker’s active Okta sessions had since been terminated and their account suspended.

RELATED Nvidia hackers allegedly attempting to blackmail company into open-sourcing GPU drivers

“The potential impact to Okta customers is limited to the access that support engineers have,” he added. “These engineers are unable to create or delete users, or download customer databases.

“Support engineers do have access to limited data – for example, Jira tickets and lists of users – that were seen in the screenshots. Support engineers are also able to facilitate the resetting of passwords and multi-factor authentication factors for users, but are unable to obtain those passwords.”

Bradbury said the Okta service had “not been breached and remains fully operational”.

Matthew Prince, CEO of Cloudflare, an Okta customer, tweeted earlier today: “We are resetting the @Okta credentials of any employees who’ve changed their passwords in the last 4 months, out of abundance of caution. We’ve confirmed no compromise. Okta is one layer of security. Given they may have an issue we’re evaluating alternatives for that layer.”

Shane Curran, CEO at data security firm Evervault, commented: “Okta currently has hundreds of millions of users and is preparing to scale users rapidly. If confirmed, this breach could wreak havoc on businesses worldwide that rely on the service to keep them safe and could prove to be a nightmare scenario for Okta and its customers.”

Prolific gang

LAPSUS$ has been linked to damaging hacks of Ubisoft, Samsung, and Vodafone in recent weeks. On Monday the prolific group boasted of one of its biggest victims to date, alleging it had compromised Microsoft’s internal Azure DevOps server and subsequently leaked 37GB of stolen source code for several Microsoft projects.

Part of a wider trend, Lapsus$ appears to favor extorting victims based on threats to publish stolen sensitive data rather than encrypting data and demanding payment in return for a decryption key.

These ransom demands became rather unconventional in the case of US chipmaker Nvidia, which it reportedly tried to blackmail into removing mining hashrate limiters on certain graphics cards and open-sourcing its GPU drivers.

“Most of these attacks have targeted source code repositories allowing them to steal proprietary data,” Borja Rodriguez, threat hunting team lead at cybersecurity company Blueliv commented.

“Even security researchers cannot specify which (if any) ransomware strains the group uses, or how they are breaching these companies. Some of them believe that they recruit employees or insiders that can give them access to any telecommunications companies, large software/gaming corporations, call centers or big server hosts; and also using phishing to gain initial access.”

This article was updated on March 23 to include a new statement issued by Okta over this incident.

SEE ALSO ‘Cybersecurity incident’ at Ubisoft disrupts operations, forces company-wide password reset