UPDATED Okta, the authentication and identity management behemoth, is looking into reports that rogue hackers broke into its internal network with the objective of harming Okta clients.

According to screenshots circulating on Twitter today, LAPSUS$, a ransomware gang originally reported in December 2021, has claimed to have gained’superuser’ access to Okta.com (March 22).

“I think these security measures are quite weak for a service that runs authentication systems for many of the top organisations (and is FedRAMP authorised),” reads a message among the screenshots.

“Before anyone asks, no, we did not access/steal any databases from Okta — our emphasis was solely on Okta customers,” the statement added.

The screenshots also appear to suggest that the attackers had access to a number of corporate accounts within the targeted environment, including Jira, AWS, Salesforce, Zoom, Google Workspace, and Confluence.

Okta, situated in San Francisco, offers more than 15,000 customers single sign-on (SSO), multi-factor authentication (MFA), and related services.

‘Time Window’ is a phrase used to describe a period of time.
In a statement released on Tuesday (March 22), Okta said it suspected the screenshots were related to an effort “to hack the account of a third party customer support engineer working for one of our subprocessors,” which was discovered in January “.. It went on to say that the situation had been contained and that it had witnessed “Beyond the behaviour observed in January, there is no sign of continued malicious activity.”

Later that day, Okta CSO David Bradbury released a statement admitting that “about 2.5 percent” of Okta’s customers “may have been impacted and whose data may have been seen or acted upon.”

Okta had notified those consumers, but they didn’t need to take any “corrective activities,” he added.

A forensics firm’s assessment last week “highlighted that there was a five-day window of time from January 16-21, 2022, where an attacker had access to a support engineer’s laptop,” Bradbury stated.

The attacker’s active Okta sessions had been terminated, and their account had been suspended, according to Bradbury.

He continued, “The possible impact on Okta customers is restricted to the access that support engineers have.” “These engineers can’t add or delete users, and they can’t retrieve client databases.”

“Support engineers have restricted access to the data depicted in the pictures, such as Jira tickets and user lists. Users’ passwords and multi-factor authentication factors can also be reset by support engineers, but they are unable to get those passwords.”

The Okta service, according to Bradbury, has “not been breached” and is “completely operational.”

“We are resetting the @Okta credentials of any employees who have changed their passwords in the last 4 months, out of abundance of caution,” Matthew Prince, CEO of Cloudflare, an Okta customer, tweeted earlier today. We’ve confirmed that there will be no compromise. Okta is one of the security layers. We’re looking at alternatives for that layer since they might have an issue.”

“Okta presently has hundreds of millions of users and is prepared to increase users rapidly,” said Shane Curran, CEO of data security firm Evervault. If proven, the breach could have disastrous consequences for organisations around the world who rely on Okta to keep them safe, and it could be a nightmare scenario for Okta and its clients.”

In recent weeks, the prolific gang LAPSUS$ has been tied to damaging breaches of Ubisoft, Samsung, and Vodafone. The prolific organisation boasted of one of its greatest victims to date on Monday, stating it had penetrated Microsoft’s internal Azure DevOps server and then exposed 37GB of stolen source code for various Microsoft projects.

Lapsus$ appears to prefer extorting victims based on threats to expose stolen sensitive material rather than encrypting data and demanding cash in exchange for a decryption key, which is part of a larger trend.

In the case of US chipmaker Nvidia, which was purportedly blackmailed into lifting mining hashrate limits on some graphics cards and open-sourcing its GPU drivers, the ransom demands were fairly unusual.

“Most of these assaults have targeted source code repositories, allowing them to steal confidential data,” said Borja Rodriguez of cybersecurity firm Blueliv.

“Even security researchers are unable to say which (if any) ransomware strains the gang employs or how they infiltrate these businesses.” Some of them believe they can acquire access to any telecoms firms, huge software/gaming corporations, call centres, or large server hosts by recruiting employees or insiders and utilising phishing to gain first access.”

Chat WhatsApp