LAPSUS$ claims breach of MFA & Identity Titan OKTA. Okta denies severity of breach.

[rcmaehl]

Summary

The LAPSUS$ group has claimed a breach of the MFA Titan OKTA.

 

Quotes

Quote

Okta says a[n[ investigation into the screenshots appearing to show a data breach revealed they relate to a "contained" security incident that took place in January. The LAPSUS$ group posted screenshots on Telegram that the hackers claimed were taken after obtaining access to "Okta.com Superuser/Admin and various other systems." "For a service that powers authentication systems to many of the largest corporations (and FEDRAMP approved) I think these security measures are pretty poor[...]," LAPSUS$ said. Okta said: "In late January 2022, Okta detected an attempt to compromise the account of a third-party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. We believe the screenshots shared online are connected to this January event." "Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January," Okta is a publicly-traded company with thousands of customers, including numerous technology vendors. The company accounts for FedEx, Moody's, T-Mobile, JetBlue, and ITV among its clients. 

 

My thoughts

This is pretty big if true and OKTA's government certifications might be at risk. We'll see though as "no evidence" can simply mean "our logging sucks". Currently, it's too early to tell anything. Based on their high profile, I'm sure OKTA will be forced to produce a report within the coming weeks.  The scope SHOULD hopefully be limited. Clients have to enable impersonation on their end for OKTA to do anything for them, which only lasts 8 hours.

 

Sources

CRN

ZDNet (quote source)

Gizmodo

[WhitetailAni]

Either Lapsus$ is making a lot of crap up, or there's a security flaw that every company has that we don't know about yet.

I'm wondering if Lapsus$ or another group is responsible for the services that took down basically everything Apple?

It seems they're still having problems - an iOS 15.0 OTA for iPhone 13 models is signed when it's not supposed to be, but instead of just unsigning it they pulled the OTA bundle.

[colonel_mortis]

41 minutes ago, FakeKGB said:

Either Lapsus$ is making a lot of crap up, or there's a security flaw that every company has that we don't know about yet.

An Okta breach could be that security flaw - if (and I have no evidence that this is the case) the other companies that they compromised were using Okta as their SSO, it's plausible (but pretty worrying) that someone with privileged access in Okta could have reset passwords, MFA, etc to gain access to the accounts of employees at the other affected companies, and compromised them that way. It's obviously just speculation for now, but it does seem plausible.

[rcmaehl]

24 minutes ago, colonel_mortis said:

An Okta breach could be that security flaw - if (and I have no evidence that this is the case) the other companies that they compromised were using Okta as their SSO, it's plausible (but pretty worrying) that someone with privileged access in Okta could have reset passwords, MFA, etc to gain access to the accounts of employees at the other affected companies, and compromised them that way. It's obviously just speculation for now, but it does seem plausible.

From what I'm hearing, the scope SHOULD be limited. The clients have to enable impersonation on their end for OKTA to do anything for them, which only lasts 8 hours.

 

https://support.okta.com/help/s/article/Granting-Access-to-Okta-Support?language=en_US

[HarryNyquist]

5 hours ago, FakeKGB said:

Either Lapsus$ is making a lot of crap up, or there's a security flaw that every company has that we don't know about yet.

Third option is they're buying access from disgruntled employees or social engineering their way into poorly secured systems.

[Salv8 (sam)]

4 hours ago, colonel_mortis said:

it's plausible (but pretty worrying) that someone with privileged access in Okta could have reset passwords

they have posted job offers to be an inside man for them so it's quite likely they are using this insider to gain knowledge of how everything works then plan their attack by using this insider to give them access to account/s with some power.

 

it's not new...but the fact its working means that the employee's really don't like working there. could be shitty pay, terrible work environment, asshole boss, ethical and/or moral issues with things that the company does etc.

the last one is probably the type of person that LAPSUS$ goes for, i wouldn't be surprised if that turned out to be true.

[Guest]

Statement from David Bradbury; CSO:
Updated Okta Statement on LAPSUS$ | Okta Australia

Quote

 

The Okta service has not been breached and remains fully operational. There are no corrective actions that need to be taken by our customers. 

 

In January 2022, Okta detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider. As part of our regular procedures, we alerted the provider to the situation, while simultaneously terminating the user’s active Okta sessions and suspending the individual’s account. Following those actions, we shared pertinent information (including suspicious IP addresses) to supplement their investigation, which was supported by a third-party forensics firm.

 

Following the completion of the service provider’s investigation, we received a report from the forensics firm this week. The report highlighted that there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop. This is consistent with the screenshots that we became aware of yesterday.

 

The potential impact to Okta customers is limited to the access that support engineers have. These engineers are unable to create or delete users, or download customer databases. Support engineers do have access to limited data - for example, Jira tickets and lists of users - that were seen in the screenshots. Support engineers are also able to facilitate the resetting of passwords and multi-factor authentication factors for users, but are unable to obtain those passwords.

We are actively continuing our investigation, including identifying and contacting those customers that may have been impacted. There is no impact to Auth0 customers, and there is no impact to HIPAA and FedRAMP customers.

 

We take our responsibility to protect and secure our customers' information very seriously. We are deeply committed to transparency and will communicate additional updates when available.

 

 

[Fasterthannothing]

8 hours ago, FakeKGB said:

Either Lapsus$ is making a lot of crap up, or there's a security flaw that every company has that we don't know about yet.

I'm wondering if Lapsus$ or another group is responsible for the services that took down basically everything Apple?

It seems they're still having problems - an iOS 15.0 OTA for iPhone 13 models is signed when it's not supposed to be, but instead of just unsigning it they pulled the OTA bundle.

Two possibilities 1. The exploits came from a large overarching breach or 2. We are watching a group (possibly government backed) flexing their muscles with an undisclosed exploit that has major far reaching exploit properties accross multiple types of systems. I'm honestly gonna put my tinfoil hat on and go with #2. Something that group is doing is working and I wouldn't be surprised if this are just some kinda test to see what their exploit can do.