A relatively new entrant to the ransomware scene has made two startling claims in recent days by posting images that appear to show proprietary data the group says it stole from Microsoft and Okta, a single sign-on provider with 15,000 customers.
The Lapsus$ group, which first appeared three months ago, said on its Telegram channel that it gained privileged access to some of Okta's proprietary data. Okta allows employees to use a single account to log into multiple services for their employer.
The Telegram post stated that they did not access any data from OKTA.
The data appears to be linked to a hack that happened two months ago, according to Todd McKinnon. He explained.
In late January 2022, Okta detected an attempt to compromise the account of a third-party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.
In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. (1 of 2)
— Todd McKinnon (@toddmckinnon) March 22, 2022
Okta Chief Security Officer David Bradbury said in a post that there had been no violation of the company&s service. The January compromise attempt was unsuccessful. Okta retained a forensics firm to investigate its findings.
There was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer's laptop.
AdvertisementThe post continued.
The potential impact to Okta customers is limited to the access that support engineers have. These engineers are unable to create or delete users or download customer databases. Support engineers do have access to limited data—for example, Jira tickets and lists of users—that were seen in the screenshots. Support engineers are also able to facilitate the resetting of passwords and MFA factors for users, but are unable to obtain those passwords.
We are actively continuing our investigation, including identifying and contacting those customers that may have been impacted. There is no impact to Auth0 customers, and there is no impact to HIPAA and FedRAMP customers.
Lapsus$ immediately responded to the Okta post by calling the claims lies.
The post stated that he was still unsure how it was an unsuccessful attempt.
The potential impact to Okta customers is not limited, I am pretty certain that resetting passwords and MFA would result in complete compromise of many clients systems.
Lapsus$'s Monday evening post was accompanied by eight pictures. One showed a person logging into the dashboard of a network that uses Okta services. An image showed a password change for a person.
Matthew Prince, founder and CEO of Cloudflare, responded several hours later that Okta is merely an identity provider. Thankfully, we have multiple layers of security beyond Okta and would never consider them a stand alone option.
Prince said that Cloudflare was reseting Okta credentials for employees who changed their passwords in the past four months. We are evaluating alternatives given that they may have an issue.
AdvertisementWe are aware that @Okta may have been compromised. There is no evidence that Cloudflare has been compromised. Okta is merely an identity provider for Cloudflare. Thankfully, we have multiple layers of security beyond Okta, and would never consider them to be a standalone option.
— Matthew Prince 🌥 (@eastdakota) March 22, 2022
We are resetting the @Okta credentials of any employees who’ve changed their passwords in the last 4 months, out of abundance of caution. We’ve confirmed no compromise. Okta is one layer of security. Given they may have an issue we’re evaluating alternatives for that layer.
— Matthew Prince 🌥 (@eastdakota) March 22, 2022
This account of the investigation was published by Cloudflare.
The Lapsus$ post shows a list of Okta's chat channels, an internal Okta system, and some of the apps available to Okta employees.
FedRAMP is a program that certifies that cloud-based services meet minimum security requirements.
Gang members wrote in a Monday Telegram post that the security measures for the service that powers the authentication systems are poor.
The same Telegram channel posted images to support Lapsus$ claim that it was breached by Microsoft. The Telegram post was later removed, but not before a security researcher documented the hack.