Okta confirms investigation into alleged LAPSUS$ security breach

Getty Photographs

Cloud identification and obtain administration supplier Okta has confirmed that it can be investigating a probable breach immediately after the LAPSUS$ hacking team posted screenshots of what seems to be the back-finish of Okta’s programs.

Asserting the breach in the early several hours of Tuesday early morning, LAPSUS$ reported in its Telegram channel that it did not steal or accessibility any Okta databases and their focus was only on Okta’s consumers.

Okta’s CEO Todd McKinnon confirmed that the corporation started off an investigation right after it detected an endeavor to compromise the account of a 3rd party purchaser help engineer performing for one of [its] subprocessors”.

“The issue was investigated and contained by the subprocessor,” McKinnon mentioned. “We feel the screenshots shared online are related to this January occasion,” he additional. “Based on our investigation to day, there is no evidence of ongoing destructive action further than the exercise detected in January.”

IT Pro pressed Okta for further particulars but it did not supply any new information and facts in the statement it shared.

The date and timestamps seen in the screenshots provided by LAPSUS$ indicated the hackers were being within Okta’s atmosphere on 21 January 2022, aligning with the mention of “late January 2022” by McKinnon, which signifies Okta was knowledgeable of a critical breach endeavor and failed to notify shoppers for two months.

LAPSUS$ claimed it was equipped to realize superuser/admin access to the Okta “and many other systems”. 

“For a assistance that powers authentication methods to a lot of of the largest firms, and FEDRAMP-authorised, I think these security measures are rather lousy,” stated the group.

LAPSUS$ exhibiting user account regulate privileges, sensitive details redacted

IT Pro

One particular of the visuals posted by LAPSUS$ appeared to present the hackers had been ready to reset consumer passwords for employee passwords. The account shown in the graphic belonged to a Cloudflare employee, a getting which suggests that hackers may well have attained obtain to the Cloudflare tenant, according to Bill Demirkapi, offensive security at Zoom. 

Cloudflare co-founder and CEO Matthew Prince was quick to downplay the influence on his organization, assuring shoppers that while Okta provided identity providers to Cloudflare, it was not a sole company of these solutions and there has not been a breach.

“We are conscious that Okta may well have been compromised,” he stated. “There is no proof that Cloudflare has been compromised. Okta is simply an identification supplier for Cloudflare. Fortunately, we have many layers of security past Okta, and would never ever look at them to be a standalone option.

Okta is named by Gartner as a Leader in its Magic Quadrant for entry management and has been for 5 yrs functioning. The business promises to be world’s number just one id platform and gives companies for much more than 15,000 consumers globally.

Okta delivers providers to enterprises including solitary indication-on (SSO), consumer authentication, and multi-factor authentication (MFA) – implementations that are routinely advisable to organizations for upholding solid security.

Screenshot of the Okta backend with entry to numerous purposes

IT Pro

On the web specialists and observers have raised inquiries over what LAPSUS$ could have accomplished with the amount of entry they experienced to Okta’s SSO products. 

Offensive security gurus speculated that if they experienced the stage of accessibility that authorized them to modify user accounts at Cloudflare, they would feasibly be ready to do the exact same with Okta’s other consumers.

They mentioned it could also be how LAPSUS$ has been ready to obtain so many companies’ resource code in modern months, and that they only ‘burned’ their Okta breach because of to getting rid of access to the system.

In latest weeks, LAPSUS$ has leaked source code from huge technology firms this kind of as Nvidia and Samsung. The team has also claimed to have received information from Vodafone, Impresa, and Mercado Libre.

Hours before on Tuesday morning, LAPSUS$ also leaked a torrent file allegedly containing resource code from Microsoft after the team to start with announced that it had effectively breached the tech huge on Sunday. 

LAPSUS$ claimed that the leak incorporates resource code for Bing, Bing Maps, and Cortana. A Microsoft spokesperson informed IT Pro on Monday that “we are knowledgeable of the promises and are investigating”.

“The potential attack on Okta is a placing reminder of the supply chain’s cyber risks,” said Oz Alashe, CEO at CybSafe and chair of the DCMS’ Marketplace Pro Advisory Group on cyber resilience to IT Pro. “Cyber criminals will usually establish the route of the very least resistance. An authentication instrument this kind of as Okta gives the opportunity to breach hundreds of big enterprises in one particular sweep. ​​​​​​”

Some areas of this article are sourced from:
www.itpro.co.uk