Okta Breach by LAPSUS$ Attackers
The infamous attacker group Lapsus$ has recently released numerous screenshots in its Telegram channel claiming to have gained access to Okta’s “Super Admin” and systems and claims that it found Okta storing AWS keys in Slack channels.
“What we know is a drop, what we don’t know is an ocean”
The infamous attacker group Lapsus$ has recently released numerous screenshots in its Telegram channel claiming to have invaded Okta’s internal applications, associated Jira accounts, slack channels, Splunk, RingCentral, Salesforce, and an internally-built application called SuperUser. Lapsus states to have gained access to Okta’s “Super Admin” and systems, and claims that it found Okta storing AWS keys in Slack channels.
What is Okta?
Okta is an identity and access management platform that provides a secure identity cloud to let users log into a variety of systems using one centralized process. In a broader term, Okta helps in connecting any person with any application on any device.
A Little about LAPSUS$
LAPSUS$ is the new cybercrime group that first emerged in July 2021. In recent months, it has been on a hacking binge targeting a good bunch of companies notably Impresa, Brazil’s Ministry of Health, Claro, Embratel, NVIDIA, Samsung, Mercado Libre, Vodafone, Microsoft and most recently Ubisoft.
The motto of the Lapsus$ seems to be beseeching ransom payments, with threats to leak stolen information if its extortion demands aren’t met. Okta falls as one of the recent victims of Lapsus$.
Contrary to their ransomware threats, in terms of the Okta breach, Lapsus$ had only focused on leaking the stolen customer data.
What led to the breach?
In January 2022, Okta had detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider.
The hackers had compromised Okta’s systems over a five-day window between January 16-21, 2022, by gaining remote access to a machine belonging to an employee of Sitel — a customer support company subcontracted to provide customer service functions for Okta. Using a remote desktop protocol (RDP), the hackers were able to input commands into the compromised machine and view the monitor output, enabling them to take screenshots.
The exploit methodology of how the attackers gained access to RDP is still unknown. The exploits could possibly be brute force attacks on RDP or phishing or an insider threat. The potential impact of the breach is said to have affected around 2.5% of Okta’s customers.
Okta customers are advised to change their respective Okta passwords and to attentively watch over access logs and log files.
General preventive measures to take
The following are the possible preventive measures to be taken into consideration,
- Maintain up-to-date security software
- Regular Tracking and analyzing the entrants of RDP ports
- Limit access to confidential data
- Enable 2FA to avoid brute force attacks
- Implement proper network segregation and monitor the traffic
- Conduct employee security awareness program
Mitigating cyber threats
Qualitest provides various cyber security services to mitigate cyber threats and data breaches. We follow a consistent approach of tracking the entire development process by instituting the security aspect at every stage and finding issues right away.
Our cyber security engineers can help your organization in leveraging the key security mechanisms thereby providing quality assurance.