Okta confirms investigation into alleged Lapsus$ security breach
Cloud identity and access management provider Okta has confirmed that it’s investigating a potential breach after the Lapsus$ hacking group posted screenshots of what appears to be the back-end of Okta’s systems.
Announcing the breach in the early hours of Tuesday morning, Lapsus$ said in its Telegram channel that it did not steal or access any Okta databases and their focus was solely on Okta’s customers.
Okta’s CEO Todd McKinnon confirmed that the company started an investigation after it detected an attempt to compromise the account of a third party customer support engineer working for one of [its] subprocessors”.
“The matter was investigated and contained by the subprocessor,” McKinnon said. “We believe the screenshots shared online are connected to this January event,” he added. “Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.”
The date and timestamps seen in the screenshots provided by Lapsus$ indicated the hackers were inside Okta’s environment on 21 January 2022, aligning with the mention of “late January 2022” by McKinnon, which means Okta was aware of a serious breach attempt and failed to notify customers for two months.
Lapsus$ said it was able to achieve superuser/admin access to the Okta “and various other systems”.
“For a service that powers authentication systems to many of the largest corporations, and FEDRAMP-approved, I think these security measures are pretty poor,” said the group.
One of the images posted by Lapsus$ appeared to show the hackers were able to reset user passwords for employee passwords. The account shown in the image belonged to a Cloudflare employee, a finding which indicates that hackers may have gained access to the Cloudflare tenant, according to Bill Demirkapi, offensive security at Zoom.
Cloudflare co-founder and CEO Matthew Prince was quick to downplay the impact on his company, assuring customers that although Okta provided identity services to Cloudflare, it was not a sole provider of such services and there has not been a breach.
“We are aware that Okta may have been compromised,” he said. “There is no evidence that Cloudflare has been compromised. Okta is merely an identity provider for Cloudflare. Thankfully, we have multiple layers of security beyond Okta, and would never consider them to be a standalone option.
Okta is named by Gartner as a leader in its Magic Quadrant for access management and has been for five years running. The company claims to be world’s number one identity platform and provides services for more than 15,000 customers worldwide.
Okta offers services to businesses including single sign-on (SSO), user authentication, and multi-factor authentication (MFA) – implementations that are routinely recommended to businesses for upholding strong security.
Online experts and observers have raised questions over what Lapsus$ could have achieved with the level of access they had to Okta’s SSO product.
Offensive security experts speculated that if they had the level of access that allowed them to modify user accounts at Cloudflare, they would feasibly be able to do the same with Okta’s other customers.
They said it could also be how Lapsus$ has been able to access so many companies’ source code in recent weeks, and that they only ‘burned’ their Okta breach due to losing access to the platform.
In recent weeks, Lapsus$ has leaked source code from large technology companies such as Nvidia and Samsung. The group has also claimed to have obtained files from Vodafone, Impresa, and Mercado Libre.
Hours earlier on Tuesday morning, Lapsus$ also leaked a torrent file allegedly containing source code from Microsoft after the group first announced that it had successfully breached the tech giant on Sunday.
Lapsus$ claimed that the leak contains source code for Bing, Bing Maps, and Cortana. A Microsoft spokesperson told IT Pro on Monday that “we are aware of the claims and are investigating”.
Ⓒ Future Publishing