Lapsus$ targets Okta lead image.
okta-customer-data-targeted-lapsus

We recently wrote about a threat actor known as Lapsus$, which specializes in stealing data from large companies before trying to extort them. Now, it has announced a successful breach of Okta on March 22, 2022. Okta is a large company that provides authentication services for companies like FedEx and Moody’s to enable access to their networks.

The breach

Okta confirmed the breach and communicated about it via its website. It said that “the Okta service is fully operational, and there are no corrective actions our customers need to take.” According to computer forensics reports requested by Okta, the breach consisted of a five-day window between January 16 and 21, 2022, where an attacker had access to a support engineer’s laptop.

Those support engineers have limited access to data. They might, for example, access Jira tickets and lists of users and facilitate password resetting and multifactor authentication (MFA) for users without being able to obtain those passwords.

Little more is known about this breach right now, but the screenshots provided by the threat actor on its Telegram channel seem real.

SEE: How to become a cybersecurity pro: A cheat sheet (TechRepublic)

What is the impact of this breach?

According to Okta, approximately 2.5% of its customers have potentially been impacted and might have their data being viewed or acted upon. Okta has already contacted those customers. Yet with more than 15,000 customers, according to its website, those affected still represent more than 300 customers.

Lapsus$ mentioned on its Telegram channel that it did not access/steal any databases from Okta, its focus being only on Okta customers (Figure A).

Figure A

Lapsus$ malware message.
Message left by the attackers on their Telegram channel. Source: Telegram

What is Lapsus$?

This threat actor is quite new and known for using a pure extortion and destruction model without any malware deployment. Its targeting is global, and it has already targeted organizations in technology, IT, telecom, media, retail, healthcare and government. Some of its most popular breaches included Nvidia, Samsung and Microsoft. It is also known to take over individual user accounts at cryptocurrency exchanges to drain cryptocurrency holdings, according to Microsoft.

Lapsus$ uses less popular techniques, like offering to pay employees or partners of targeted entities to provide them with valid credentials and multifactor authentication (MFA) validation when needed (Figure B). It might also just buy access to organizations via initial access brokers.

Figure B

Lapsus$ looking for insiders .

Lapsus$ looking for insiders to provide them with access. Source: Telegram

SEE: What are mobile VPN apps and why you should be using them (TechRepublic Premium)

What should impacted Okta customers do?

In addition to communicating with Okta and determining whether it has seen any suspicious activity regarding their organization, customers with reason to believe they might be at risk should immediately check their access logs for the last few months (back to December 2021 at least, since the data breach probably began in January 2022) and look for users who have requested a password reset or changed their multifactor authentication method.

Once a list of those users is established, IT should force password reset and inform the users about it. This way, if the attacker has already done a password reset and owns access, they will be unable to get the new password and will therefore not be able to access the system again. That is, of course, if the attacker has not already added backdoors or more content or tooling on the system to allow them to access it again.

All users should also have multifactor authentication enabled. The most secure MFA method consists of using hardware keys/tokens. Other methods expose the users to larger possibilities of being compromised, in particular via phishing campaigns or malware exploitation. Phone-based MFA might sound like a good method but in fact it is not, being vulnerable to SIM swapping attacks.

VPN access should also be carefully checked and additional protection should be deployed on it if not done already. Tight conditional access policies on VPN should be enforced.

Finally, a full incident response process should be run as early as possible to determine if the system has been breached. It would also help find additional compromise components, if any, that would allow the attacker to come back to the system without authentication (Trojan or backdoor malware, for example).

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday