Skip links

Okta admits Lapsus$ attack revealed customer data

Identity management as-a-service platform Okta has admitted that the Lapsus$ extortion gang managed to see some of its customers’ data, and Microsoft has admitted the gang got its grubby paws on some source code.

An updated post detailing Okta’s response to news of an attack on the service sees chief security officer David Bradbury admit “a small percentage of customers – approximately 2.5% – have potentially been impacted and whose data may have been viewed or acted upon.”

Bradbury has not described the data that may have been viewed, but as Okta’s core service is single sign-on for thousands of cloud services, the possibility that customers’ credentials have leaked to unknown parties cannot be discounted.

Lapsus$ gathers intimate knowledge about end-users and their crisis response workflows

Okta claims to have more than 15,000 customers, so if 2.5 per cent have been compromised that could be 375 organisations that now need to determine if all logons to their preferred clouds – and the actions taken by authenticated users – were legitimate and/or innocuous. Those investigations need to consider sessions since January 16 – the date Okta named in previous statements as the day on which attackers compromised a single laptop used by a support engineer working for one of Okta’s suppliers.

A single laptop and 375 customers aren’t enormous numbers, but Okta customers like, Apple, Microsoft, NTT, and McKesson employ tens or even hundreds of thousands of people. Those 375 compromised customers could translate to many, many more individual compromises.

Microsoft, thankfully, has revealed that while Lapsus$ did indeed manage to see some of its source code – as the gang claimed earlier this week – just one Microsoft account was compromised, and that one offered “limited access” to source code.

The software giant’s post in which that admission was made also offered a detailed description of how Lapsus$ goes about its nasty business.

Microsoft prefers to refer to the gang as “DEV-0537” and classifies it as “a cybercriminal actor motivated by theft and destruction.”

In Microsoft’s estimation, the gang uses “phone-based social engineering: SIM-swapping to facilitate account takeover, accessing personal email accounts of employees at target organizations, paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets.” Lapsus$ also advertises for staff and offers to pay insiders who leak credentials or otherwise facilitate attacks.

The gang targets virtual desktop infrastructure and has named Citrix as a vendor whose wares it likes to target. Microsoft’s own Azure Active Directory is also on the Lapsus$ hit list – along with Okta.

The gang does its research and gains what Microsoft described as “intimate knowledge about end-users, team structures, help desks, crisis response workflows, and supply chain relationships” before attacking.

Once the raids begin, victims may experience a flood of multifactor authentication (MFA) prompts or calls to the organization’s helpdesk to reset a target’s credentials. If successful, the gang deploys multiple malware packages – some installed in new VMs it creates on victims’ preferred clouds. Another tactic sees Lapsus$ create a new superadmin in victims’ cloud accounts, freezing out legitimate users.

Because Lapsus$ monitors victims’ internal communications, Microsoft recommends development of an out-of-band communication plan for incident responders “that is usable for multiple days while an investigation occurs.” The software colossus suggests that be kept somewhere Lapsus$ will not be able to access – presumably in air-gapped systems or a bottom drawer. ®