A late January 2022 security incident at Okta that its executives only a day ago described as an unsuccessful attempt to compromise the account of a third-party support engineer potentially affected 366 of its customers, the company has now admitted.
An analysis that Okta conducted shows that attackers potentially were able to view or act upon data belonging to these customers, the authentication provider’s chief security officer David Bradbury said in a statement late Tuesday evening. In a follow-up conference call Wednesday morning, however, Bradbury reiterated that there was no need for the affected organizations to take remediation measures because the third-party engineer’s access to its systems had been “highly constrained.”
“I want to repeat that, as a result of the constrained access provided, and our exhaustive analysis of actions performed during that period, we are of the opinion that no corrective actions need to be taken by our customers,” Bradbury said. “Now while it’s not a necessary step for our customers to take, we fully expect that you may want to complete your own analysis.”
An online extortion group calling itself Lapsus$ on Monday posted eight screenshots via its Telegram channel that the group claimed to have grabbed from internal systems at Okta back in January. The screenshots suggested the attackers managed to gain access to Okta customer support tickets in Jira, chat messages in Slack, and a back-end admin tool labeled “Superuser” for managing customers.
The release of the screenshots prompted considerable concern within the industry because Okta is one of the largest providers of identity authentication services in the world. Some 15,000 organizations — including some of the world’s largest companies and many government agencies — use Okta to control access to their applications and data.
Of particular issue is the screenshot suggesting that Lapsus$ had accessed a “Superuser” account at Okta — something that many assumed would have given the group the ability to manipulate Okta customer accounts. One screenshot, in fact, showed the attackers apparently having managed to gain access to Okta customer Cloudflare’s environment.
No “God-Like” Access
Bradbury maintained that the Superuser account did not provide “god-like access” to all its users. “This is an application built with least privilege in mind to ensure that support engineers are granted only the specific access they require to perform their roles.” The account did not give users the ability to create or delete users, download customer databases, or access source code repositories, Bradbury said. He also similarly downplayed the significance of the access that Lapsus$ had to tools that Okta used internally, such as Jira and Slack.
According to Bradbury, the Okta screenshots that Lapsus$ posted online this week were obtained from a computer belonging to an engineer working for Sykes, a subsidiary of Sitel, a company that provides support services for Okta’s customers. The attacker obtained access to the device via Remote Desktop Protocol (RDP) while it was logged in to Okta. “So, while the attacker never gained access to the Okta service via account takeover, a machine that was logged into Okta was compromised and they were able to obtain screenshots and control the machine through the RDP session,” Bradbury said.
Okta first learned of the incident on Jan. 20, when its security team received an alert about a new multifactor authentication factor being added to a Sitel employee’s Okta account from a new location. The alert triggered a forensics investigation, which a day later ended with Okta terminating the Sitel employee’s Okta session and a suspension of the user’s account. Okta also shared its data with Sitel, which then hired a third-party firm of its own to investigate the incident. Bradbury said Okta received a summary report of the investigation from Sitel only on March 17. The report did not contain the screenshots that Lapsus$ posted online but showed the attacker had access to the Sitel environment for a five-day period, from Jan. 16 to Jan. 21
Eric Parizo, an analyst with Omdia, says that while the Okta incident may not be as wide-ranging as initially feared, it is another reminder of how interconnected the cybersecurity supply chain has become.
“For example, because Cloudflare uses Okta for internal authentication, the mere possibility of a compromise caused Cloudflare to reset the credential of any of its employees who changed their passwords in the past four months,” Parizo says, pointing to a comment from Cloudflare CEO Matthew Prince. Dozens of other organizations have likely done the same out of an abundance of caution, he notes. “There is certainly a cost to doing that both in terms of IT and security actions as well as potentially lost productivity for users.”
Microsoft Confirms Breach, Issues Warning on Lapsus$
Along with the Okta screenshots, Lapsus$ also simultaneously released another set of screenshots purporting to show source code that it had accessed from Microsoft related to the company’s Bing search engine, Cortana virtual assistant, and Bing Maps.
Microsoft late Tuesday confirmed the source code theft had resulted from a security breach but did not describe what had happened. “Our investigation found an account had been compromised, granting limited access,” a Microsoft spokeswoman said in an emailed statement. The company’s response team quickly remediated the compromised account to prevent further malicious activity, the company said. Microsoft added that it did not rely on the secrecy of code as a security measure and asserted that it didn’t consider viewing source code as tied to elevation of risk.
Microsoft’s threat intelligence team is currently tracking Lapsus$ as DEV-0537, an outfit that it described as a brazen cybercrime group using a “pure extortion and destruction model” to target organizations in multiple sectors, including government, healthcare, telecom, media, and retail. The group initially targeted organizations in Latin America and the UK, but it has now begun targeting organizations globally.
Microsoft said its analysis showed Lapsus$ to be using a combination of tricks to gain initial access to target networks. These included the use of the Redline password stealer to obtain passwords, purchasing session tokens and credentials from underground initial access brokers, and — most ominously — paying employees at targeted companies for access to credentials and multifactor authentication (MFA) approval. Microsoft’s blog contained an advertisement that Lapsus$ posted on its Telegram channel that showed the group is targeting employees at telecommunications firms, large software companies, call centers, and server hosting companies. Among the companies specifically mentioned in the ad are Microsoft, Apple, AT&T, IBM, and call-center/business process management firms such as Atento and Teleperformance.
Microsoft said it had observed instances where the group gained access to target organizations by recruiting their employees or employees working at third-party firms linked to the target. In these instances, the paid accomplice was asked to provide their credential and approve MFA requests, or to install remote management software such as AnyDesk on a corporate desktop.
In instances where Lapsus$ has gained privileged access to a target’s cloud environment in AWS or Azure, the attacker has created global admin accounts and capabilities for sending all mail in and out of the organization to an attacker-controlled account. It also has been observed removing all other global admin accounts, thereby acquiring sole control of the compromised organization’s cloud resources. Once it has exfiltrated data, Lapsus$ often has been observed deleting VMware, vSphere/ESX, and other systems and resources in the target organization’s on-premises and cloud environments, Microsoft said.
The social engineering and identity-centric tactics that Lapsus$ is using require detection and response processes that are like insider risk programs, Microsoft said.
Harder to Predict
Pratik Savla, senior security engineer at Venafi, says that Lapsus$’s recent expansion of targets across vertical and regions could be a deliberate attempt to make it harder for analysts to predict which organizations are most at risk. “This likely intentional move to keep everyone guessing because these tactics have been serving the attackers well so far.”
It is surprising that groups like Lapsus$ can unleash this level of disruption and chaos with relatively limited resources against the largest IT companies. “But at the same time,” Savla says, “the complexity of securing supply chains is a significant endeavor and even more so in cases of complex and disjointed environments.”