After breaching NVIDIA and Samsung and stealing and leaking those companies’ propertary data, the Lapsus$ cyber extortion gang has announced that they have popped Microsoft and Okta.
Lapsus$ gang’s claims
If Lapsus$’s assertions prove to be true, this (previously) relatively unknown hacking group has quickly become another threat actor that big corporations have to worry about.
The gang has substantiated their claims by leaking torrents supposedly containing partial source code for Bing, Bing Maps, and Microsoft Cortana, as well as posting – a screenshot of an internal Microsoft Azure DevOps account – and that might be just the top of the iceberg.
They have also released screenshots from Okta’s internal systems, and said that they did not access any Okta databases, but focused on Okta customers.
Security researcher Bill Demirkapi noted that the dates on the screenshots point to the Okta breach happening in late January, and that judging by some of the screenshots, “LAPSUS$ appears to have gotten access to the Cloudflare tenant with the ability to reset employee passwords.”
Both companies have started an investigation to confirm or disprove they’ve been breached. Microsoft has yet to release any findings, but Okta CEO Todd McKinnon shared that in late January 2022, the company detected an attempt to compromise the account of a third party customer support engineer working for one of their subprocessors.
“The matter was investigated and contained by the subprocessor,” he stated. “We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.”
With the breaches still unconfirmed, it’s perhaps too early for the Okta’s many customers to panic, but some are proactive detection and preparation steps would not go amiss.
1. Share the information internally.
2. Collect and retain related logs.
3. Hunt logs for bad.
4. Rotate Okta privileged passwords.
5. Move on unless Okta reaches out to you that you are involved. Adjust DFIR to their context.
That’s about all you can do right now.
— Frank McGovern (@FrankMcG) March 22, 2022
Cloudflare has already moved:
We are resetting the @Okta credentials of any employees who’ve changed their passwords in the last 4 months, out of abundance of caution. We’ve confirmed no compromise. Okta is one layer of security. Given they may have an issue we’re evaluating alternatives for that layer.
— Matthew Prince 🌥 (@eastdakota) March 22, 2022
“The potential attack on Okta is a striking reminder of the supply chain’s cyber risks. An authentication tool such as Okta provides the opportunity to breach hundreds of large enterprises in one sweep,” commented Oz Alashe, CEO of CybSafe and Chair of the UK government’s DCMS Industry Expert Advisory Group on cyber resilience.
“Potential breaches like this highlight the importance of making sure suppliers adhere to the same security principles if they wish to work with large global organisations. Data security must be a critical component of the due diligence process when selecting third party suppliers. Supply chains must be treated with the caution and care the threat merits.”
He also noted that “While Okta’s investigation is ongoing, it’s important the security community doesn’t jump to conclusions and harass its security team at this challenging time.”
UPDATE (March 23, 2021, 04:45 a.m. PT):
Lapsus$ gang’s claims have been (partly) validated by Okta and Microsoft.