The Lapsus$ extortion crew has turned its attention to identity platform Okta and published screenshots purportedly showing the group gaining access to the company’s internals.
The incident follows the group’s claim over the weekend that it had made off with chunks of Microsoft’s code. However, a compromise at Okta could be altogether more serious since the company’s services are used by many others to manage network and application access as well as user identities.
At first glance, it appears that the group gained access to a “superuser” account as well as other internal tools. Okta has yet to confirm this is the case.
Also concerning is the fact that the screenshots appear to come from January 2022, which could mean there has been access for a while. It could also be that some sort of compromise occurred briefly, and the hackers have chosen now to show off their prowess. Okta CEO Todd McKinnon reckoned it was the latter.
We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January. (2 of 2)
— Todd McKinnon (@toddmckinnon) March 22, 2022
Either way, if a breach occurred, the implications are grave. Oliver Pinson-Roxburgh, CEO of security outfit Bulletproof, warned: “As the gatekeeper to the networks and data of thousands of organizations, a breach at Okta would have significant consequences.”
“Even before the veracity of such an incident is confirmed,” he went on, “it is imperative for businesses to take proactive steps now – any delay risks the potential attack spreading.”
Oz Alashe, CEO of CybSafe and chair of the UK government’s DCMS Industry Expert Advisory Group on Cyber Resilience, said: “The potential attack on Okta is a striking reminder of the supply chain’s cyber risks. Cybercriminals will often identify the route of least resistance. An authentication tool such as Okta provides the opportunity to breach hundreds of large enterprises in one sweep.”
However, Alashe cautioned: “While Okta’s investigation is ongoing, it’s important the security community doesn’t jump to conclusions and harass its security team at this challenging time.”
That said, some companies were taking no chances. Cloudflare, which uses Okta as an identity provider, announced it would be resetting the Okta credentials of employees. Just in case.
We are resetting the @Okta credentials of any employees who’ve changed their passwords in the last 4 months, out of abundance of caution. We’ve confirmed no compromise. Okta is one layer of security. Given they may have an issue we’re evaluating alternatives for that layer.
— Matthew Prince 🌥 (@eastdakota) March 22, 2022
The Register contacted Okta for comment, but the company only repeated the tweeted comments of McKinnon.
While the investigation continues, lets take a moment to review Okta’s recent emissions from its social media orifice. We fervently hope that this one won’t end up in the “aged badly” bucket. ®
🌟 Okta Custom Admin Roles – now available for all customers!
Learn more about our updated admin experience that goes way beyond the industry standard, offering even more flexibility 🤸♀️ + security 🔐
Watch how it’s done👇 + learn more 👉 https://t.co/Wkh9ngt5aZ pic.twitter.com/K9X4a6fpdG
— Okta (@okta) March 21, 2022