At 2:09pm on the 22nd of March 2022 (AEDT), the advanced persistent threat actor (APT) group “LAPSUS$” released screenshots and claims, on the encrypted messaging app Telegram [1] they had achieved superuser access to the Okta Cloud platform, as well as access to other internal systems including the Okta Atlassian suite and Okta Slack channels. The screenshots provided show the groups access as a “superuser” in Okta’s own Okta instance, including the ability to reset users’ passwords, showing access to Cloudflare’s organisation within the Okta platform, an internal Jira ticket with Okta engineers commenting, as well as access to their Slack listing multiple channels including some marked with Okta customers’ names such as Expedia, Horizon Pharma and DoorDash.
The screenshots also indicated timestamps dating back to the 21st of January 2022 showing they potentially had access at least eight weeks ago. LAPSUS$ stated their intentions were not to target Okta but to target their customers. This breach is yet another example of a contemporary supply chain attack.
LAPSUS$ has been making headlines in recent weeks for breaches against large organisations including: Nvidia, Samsung, Vodafone, and Microsoft. Whilst they have been dubbed by some as a ransomware group, their recent tactics are focused on social engineering attacks for extortion and exfiltrating company data.
On the 11th of March, LAPSUS$ put out a recruitment call for insiders and current employees of their target industries to provide them with access to their employers’ environments. The group demonstrated poor operational security awareness as shown on the 20th of March when they posted about their Microsoft breach and subsequently removed the post. Based on the data later leaked in relation to this breach, it appeared LAPSUS$ were still performing exfiltration activities when they posted.
On the same day they announced their breach into Okta’s systems, LAPSUS$ provided a dump of LG employees and service account details, and leaked some of Microsoft’s source code behind Bing, Bing Maps and Cortana. Microsoft has confirmed that the group was successful in compromising one account which provided them with limited access to their environment [2].
Okta responded 15 hours after the LAPSUS$ disclosure by releasing a statement to indicate they had not been directly breached and were working to attribute the breach via a third-party contractor [3].
LAPSUS$ have since posted a response dismissing the OKTA version of events and implied their access was far greater than Okta were implying, as well as hinting that AWS keys were found within their slack channels.
The public response to Okta’s announcement predictably called for them to be accountable for their breach prompting an amendment 8 hours later which stated that 2.5% of their customers were impacted and a webinar would be held at 02:00 and 10:00 Thursday 24 March (AEDT). Shortly after this, Okta’s Chief Security Officer provided a timeline of events including their internal response to the breach [4].
In the afternoon and evening of the 22nd of March, Brace168 contacted its customers that use Okta for identity purposes. Brace168 continues to perform threat hunting and investigations to identify any anomalous behaviours.
For companies that do use Okta Brace168 has recommended the following actions:
- Reset user passwords and tokens that have been stored on the Okta Platform.
- Retrieve all Okta logs from the last 90 days and store these appropriately.
- Confirm that any new accounts or integrations created in the last 90 days are legitimate and expected.
- Investigate any abnormal logins from VPNs or overseas addresses. LAPSUS$ are known to use VPNs when attacking clients to appear like they are coming from the correct countries and avoid geo-blocking.
- Follow recommendations provided by Microsoft in [2] to improve Office 365 security posture and remain vigilant against other tactics and techniques used by the LAPSUS$ group.
In its own response to this incident Brace168 has:
- Confirmed it is not directly affected as it is not an Okta customer.
- Assessed its supply chain and partners for exposure to the breach. Having previously documented its supply chain as part of its ISO27001 certification, Brace168 was able to accelerate this stage.
- Continued to educate its customers, partners and suppliers about the impact & has suggested responses to such incidents.
- Reviewed its Managed Detection and Response systems for indicators of compromise of this incident within their internal and customers’ systems. Advanced Persistent Threats (APT) often lie dormant in customer environments well past the SaaS retention periods (5-90 days). Brace168 recommends its customers always kept MDR logs for at least 12 months for forensic analysis of cyber incidents.
Brace168 continually provides Supply Chain Risk Management services as a component of their Managed Detection and Response service.
Please contact Brace168 to discuss this or any other cyber security priorities.
References:
[1] https://twitter.com/vxunderground/status/1506114493067186183
[2] https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
[3] https://www.okta.com/blog/2022/03/updated-okta-statement-on-lapsus/
[4] https://www.okta.com/blog/2022/03/oktas-investigation-of-the-january-2022-compromise/
[5] https://www.okta.com/sites/default/files/2021-12/okta-security-privacy-documentation.pdf
[6] https://www.okta.com/blog/2018/02/what-you-need-to-know-about-saml-vulnerability-research/
[7] https://www.kb.cert.org/vuls/id/475445
