Okta Admits Lapsus$ Attack Revealed Customer Data
Reading Time: 2 minutes

Identity management-as-a-service platform Okta has admitted Lapsus$ hacking group attack revealed customer data. According to Microsoft the gang also managed to grab some source code. 

Security officer David Bradbury, Okta in a blog post admitted the hack, said, “a small percentage of customers – approximately 2.5% – have potentially been impacted and whose data may have been viewed or acted upon.”

Though he did not mention the data the hackers have viewed, while Okta’s core service is single sign-on for thousands of cloud services, it is more likely that customers’ credentials have leaked to unknown parties cannot be discounted.

According to Okta more than 15,000 customers, this means if 2.5% have been compromised nearly 375 organizations will be required to determine if all logins and actions taken by authenticated users were legit or safe. This needs to be determined for sessions since January 16, the day according to Okta the attackers compromised a single laptop used by a support engineer working for one of Okta’s suppliers.

Speaking in terms of the numbers, a single laptop and 375 customers is not a large number. But considering Okta’s client list which includes Amazon.com, Apple, Microsoft, NTT, and McKesson employs tens or even hundreds of thousands of people. This means the list of 375 compromised customers can be many many more individuals. 

Microsoft refers to the gang as “DEV-0537” and classifies it as “a cybercriminal actor motivated by theft and destruction.” The company has admitted the incident and describing it said, the gang uses “phone-based social engineering: SIM-swapping to facilitate account takeover, accessing personal email accounts of employees at target organizations, paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets.” 

Lapsus$ is known to hire hackers by advertising for them and pays insiders who leak credentials or otherwise facilitate attacks. The group targets virtual desktop infrastructure and has named Citrix as a vendor whose wares it likes to target. Microsoft’s own Azure Active Directory is also on the Lapsus$ hit list – along with Okta.

According to Microsoft, the gang carries out research prior to the attack. The information collected includes information about end-users, team structures, help desks, crisis response workflows, and supply chain relationships.

As soon as the attack is triggered, victims may experience a flood of multifactor authentication (MFA) prompts or calls to the organization’s helpdesk to reset a target’s credentials. Once they are able to authenticate they deploy multiple malware packages, some are installed in the new VMs it creates on victims’ preferred clouds. In yet another tactic the Lapsus$ gang creates a new superadmin in victims’ cloud accounts, freezing out legitimate users.

Microsoft has recommended the development of an out-of-band communication plan for incident responders that is usable for multiple days while an investigation occurs. This should be kept somewhere where Lapsus$ will not be able to access, more like air-gapped systems or a bottom drawer. 

Related Articles:
New Dell BIOS Bugs Hamper Millions of Inspiron, Vostro, XPS, Alienware Systems
More than 40000 London Voters Have Data Leaked to Strangers
HubSpot CRM tool hacked leading to Data Breaches at BlockFi, Swan Bitcoin, NYDIG and Circle