Man pointing at virtual lock icon showing security breach of authentication services provider

Hacking Group Claims It Compromised Authentication Services Provider Okta; Causing Widespread Concern Over Security Breach

The hacking group LAPSUS$, which has attacked Microsoft and Nvidia among others during a recent spree, claims that it has compromised remote authentication services provider Okta.

Okta says that it is investigating the claim, but that screenshots the group posted of its internal systems likely came from a security breach in January that it says has already been resolved.

Potentially 15,000 organizations affected if authentication services company was breached

Okta has about 15,000 clients and provides authentication services for remote logins, usually for employees and students. The service is used by a variety of government agencies, major corporations and universities.

LAPSUS$ claimed on Telegram that it had broken into Okta’s internal systems, posting screenshots that purported to be evidence. Okta responded by saying a preliminary investigation shows no signs of “ongoing malicious activity” and that it believes the screenshots were taken during a security breach in January that the company has already addressed.

LAPSUS$ also claimed that it was not after Okta’s internal data, but rather looking to compromise its downstream customers. Some of these customers have taken basic precautions after seeing their names in the screenshots that LAPSUS$ posted. One of these is the content delivery and online security giant Cloudflare, which was prominently featured in one of the shots. Cloudflare CEO Matthew Prince said that his company has conducted its own preliminary investigation and seen no evidence of a security breach, but that the passwords of any employee that had been changed in the past four months were being reset as a precaution. FedEx also appeared in a screenshot, and the company said that it has yet to find evidence of an internal security breach.

If Okta is correct about the screenshots originating from the January incident, the source of the security breach was reportedly a third-party customer-support engineer working for a subprocessor. Okta says that the subprocessor has already investigated and contained that issue. The January attack was also apparently an instance of the use of the highly publicized Log4j vulnerability. The company indicated that its authentication services were largely not impacted by this breach, which it says was limited only to the abilities of a customer support engineer to access the system, and that customers did not need to take any action in response if they had not been directly contacted by Okta.

Okta claims that these support engineers are unable to access customer data, or edit users in client accounts (such as creating or deleting accounts). It says that these engineers are limited to resetting user passwords and MFA settings but do not have a way of accessing these things. Some remain unconvinced that the breach is that minimal, and are concerned that the authentication services provider is downplaying the potential damage. LAPSUS$ has countered on Telegram by claiming that it had admin/superuser status on Okta’s network for two months, had access to a thin client and that it found AWS keys stored in company Slack channels. Some of the screenshots also show customer data and an administrative panel, which would contradict Okta’s claim about the level of access.

Okta has also said that about 2.5% of its customers may have been impacted by the January security breach. Given about 15,000 clients, that would be about 375 firms in total. It is unclear as to who exactly may be impacted (save for the companies identified in the LAPSUS$ screenshots), but the firm’s authentication services are used by a number of very prominent clients: Fidelity National Financial, Moody’s, Siemens, T-Mobile, Hewlett-Packard, Bain and Company, JetBlue, GrubHub and Peloton among the bigger names.

Though it is not clear if Okta has accurately represented the security breach, its authentication services clients should certainly hope that it has given that LAPSUS$ issued a statement saying that it is “only” focusing on Okta clients at the moment.  Kevin Novak, Managing Director for Breakwater Solutions, notes that this puts these companies in a difficult position: “Of major concern to all is: “what then?”  If the Okta environment is compromised, companies can’t simply flip a switch and authenticate/authorize on a different platform.  These are embedded platforms that require time to swap … While some have made conjectures about whether this hack contributed to another breach here or there, it would seem that a full compromise of Oktas backend would have become far more obvious by now, but we’ll see more over the next few months.”

LAPSUS$ Group’s Streak of Security Breaches Lends Credence to Claim

LAPSUS$ is rapidly becoming one of the biggest names in the cyber criminal underworld after bursting onto the scene in late 2021. A recent breach confirmed by Microsoft seems to have netted the group some of the source code for Bing and Cortana, and another at LG resulted in the leak of hashes of employee and service accounts. This follows breaches of Nvidia, which resulted in the theft of a terabyte of sensitive corporate data, and an attack on Samsung that netted 190 GB of data containing private keys and source code.

While most of the major cyber crime groups usually come out of Russia or somewhere nearby in Eastern Europe, LAPSUS$ is unusual in that security researchers believe the group is based somewhere in Latin America (with Brazil as the leading candidate). Its first major attack was on Impresa, one of the biggest media companies in Portugal.

Saryu Nayyar, CEO and Founder of Gurucul, expands on the lesson that companies should take from seeing the potential compromise of widely-used authentication services: “While customers are relying on vendors like Okta for Zero Trust and starting to implement SASE, this shows the need for more advanced security operations tools to ensure that threat actors aren’t abusing identity and access policies. Customers must incorporate advanced identity analytics, user behavior baselining and monitoring, and an extensive set of self-training machine learning models to detect and mitigate threats that are able to still evade these new security initiatives. CISOs must invest more in automation-focused Threat Detection, Investigation and Response (TDIR) solutions when it comes to quickly identifying threat actors that are extremely targeted and able to easily sneak through existing defenses.”

Oz Alashe, CEO of CybSafe, adds: “Potential breaches like this highlight the importance of making sure suppliers adhere to the same security principles if they wish to work with large global organisations … Organisations rely on third-party tools more than ever before. It’s not enough for businesses to only consider the security of their own internal systems. Data security must be a critical component of the due diligence process when selecting third party suppliers. Supply chains must be treated with the caution and care the threat merits.