According to reports, authentication and Identity and Access Management (IAM) solutions provider Okta was breached by the Lapsus$ hacking group that leaked a series of screenshots online as proof of their successful attack.
What do we know so far?
In their statement, the hackers wrote that they were focused on targeting Okta’s customers, taking control of superuser admin access that would allow them to make significant changes in customer’s apps.
These include changing passwords and even assuming roles without triggering alerts in Okta.
According to Okta’s CEO Todd Mckinnon, this breach likely stems from an attack on a “third party customer support engineer” working with a subcontractor.
In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. (1 of 2)
— Todd McKinnon (@toddmckinnon) March 22, 2022
Why Does this Attack Matter
As one of the Big 3 identity providers, if confirmed, a breach of Okta represents the motherload for attackers by targeting their SSO supply chain.
By compromising Okta, the Lapsus$ crew can move on to Okta customers downstream and carry out malicious actions in their apps. We are still early in this story, but looking at the “evidence” provided by the attackers, it appears that they have the ability to cause significant damage should they choose to do so.
This alleged attack highlights the risk of relying on a single source of IAM truth because it can become a single point of failure.
Just as you wouldn’t have the same person in charge of making payments as the one that approves them, organizations need to add a layer that can validate what their identity management system is reporting.
Authentication and SSO tools play a crucial role in making us safer overall. But these are highly automated, centralized, and possibly even over relied-upon systems that essentially hold the keys to our kingdoms. They are connected with nearly all of our systems, from our HR to production to financial, and everything in between.
Given the stakes, we need to ask who is watching the trusted watchers? Are we putting validation protections in place to verify that all is right and well with our IAM?
Protecting our organizations means adding layers for defense in depth.
We are still learning the extent of the attack, but here are a couple of quick tips for increasing your ability to respond effectively.
1. Change Passwords
If you suspect that you may have been compromised, then get the word out to reset passwords.
We are aware that @Okta may have been compromised. There is no evidence that Cloudflare has been compromised. Okta is merely an identity provider for Cloudflare. Thankfully, we have multiple layers of security beyond Okta, and would never consider them to be a standalone option.
— Matthew Prince 🌥 (@eastdakota) March 22, 2022
2. Check Your Email
Okta is probably sending out a steady stream of information to customers, so be sure to check your inbox and other communications channels with them regularly for the next few days (weeks?).
3. Watch the Logs
Dive into your logs and look for anything suspicious that might be worthy of launching a proper Incident Response op.
Compromised super admin access gives the attackers the ability to make plenty of changes in your system that might not set off alarm bells or notifications. More on this later so stay tuned to us for more on this.
How Authomize Can Help
Operating with a Zero Trust approach means assuming that anyone and everything can be hacked, and we need to take the necessary steps to protect our organizations when core players like Okta are compromised.
Authomize’s Cloud IAM Security Platform performs continuous monitoring across all your identities, assets, and access privilege activities.
We provide visibility and control over not just what access you believe to have provisioned, but the true, validated state of how your privileges are being used to alert on behavior that can be indicative of malicious activity.
Authomize is your next layer of protection.
We have visibility over both Okta’s federated users as well as unfederated identities within apps. This means that Authomize is not limited to or dependent on Okta for reliable data on identities and their activities.
Authomize Detects and Alerts on:
- Creation of new admins
- Connecting to new apps
- Users impersonating roles
- Suspicious access activity
Along with our continuous monitoring and alerting, Authomize serves as a logging solution for your IAM and is the right starting point for conducting forensic investigation.
In response to this suspected incident, Authomize’s research team was able to look into our activity logs for our customers and search for suspicious activity that could indicate that an attacker may have carried out changes or impersonated another identity.
Looking at InfoSec Twitter today, you could be excused for thinking that Okta was the only one having a bad day. Well, Okta and anyone in InfoSec that deals with IAM.
But lost in the noise was the fact that the Lapsus$ crew also dropped data belonging to Microsoft’s Bing and Korean electronics giant LG.
so how is everyone’s tuesday going? pic.twitter.com/4DoqWxRNWI
— Mick Baccio (@nohackme) March 22, 2022
But the fact that multinational companies barely get a mention in the coverage is hardly the weirdest aspect of this story.
We’ve got questions.
- What caused this eclectic hacking group to burn their sweet, sweet access into what must be a massive list of Okta’s customers?
- Were they trying to extort Okta? Okta’s customers? Both? What went wrong in the deal that they decided to burn the house down?
This is a weird group. Not a classic ransomware crew, they opt normally to hack and extort post exfil. And they’ve been on a roll after hitting NVidia and Samsung in short order.
With elements that are part hacktivist and a lot criminal, they love to s**t post and do strange things like demand that NVidia remove restrictions on cryptomining from their products.
Are they an off brand tribe of hackers or a state-run team pretending to be something less than they are?
If this story ends up having legs and getting verified, then hopefully we’ll get some details on how Lapsus$ (allegedly) popped the Okta contractor.
We will continue to follow this story and issue technical reports as well as actionable tips for mitigating the potential impacts of this attack.
To learn more about how Authomize can protect your organization, schedule a meeting with us.