22 March 2022 at 17:17 UTC
Updated: 22 March 2022 at 21:32 UTC
Attackers purportedly said ‘focus was only on Okta customers’
Okta, the authentication and identity management giant, is investigating claims supposedly made by malicious hackers that they compromised its internal environment with the intention of targeting Okta customers.
LAPSUS$, a ransomware gang first identified in December 2021, has claimed to have achieved ‘superuser’ access to Okta.com, according to screenshots circulating on Twitter today (March 22).
“For a service that powers authentication systems to many of the largest corporations (and FedRAMP approved) I think these security measures are pretty poor,” reads a message shown in the screenshots.
“Before people start asking: we did not access/steal any databases from Okta – our focus was only on Okta customers,” it continued.
The screenshots also appear to show that the attackers had access to a raft of enterprise accounts, including Jira, AWS, Salesforce, Zoom, Google Workspace, and Confluence within the targeted environment.
San Francisco-based Okta provides Single Sign-On (SSO), multi-factor authentication (MFA), and related services for more than 15,000 customers.
‘No evidence of malicious activity’
Okta responded to LAPSUS$’ claims in a statement issued today:
“In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.”
Matthew Prince, CEO of Cloudflare, an Okta customer, tweeted earlier today: “We are resetting the @Okta credentials of any employees who’ve changed their passwords in the last 4 months, out of abundance of caution. We’ve confirmed no compromise. Okta is one layer of security. Given they may have an issue we’re evaluating alternatives for that layer.”
Shane Curran, CEO at data security firm Evervault, commented: “Okta currently has hundreds of millions of users and is preparing to scale users rapidly. If confirmed, this breach could wreak havoc on businesses worldwide that rely on the service to keep them safe and could prove to be a nightmare scenario for Okta and its customers.”
LAPSUS$ has been linked to damaging hacks of Ubisoft, Samsung, and Vodafone in recent weeks. On Monday the prolific group boasted of one of its biggest victims to date, alleging it had compromised Microsoft’s internal Azure DevOps server and subsequently leaked 37GB of stolen source code for several Microsoft projects.
Part of a wider trend, Lapsus$ appears to favor extorting victims based on threats to publish stolen sensitive data rather than encrypting data and demanding payment in return for a decryption key.
These ransom demands became rather unconventional in the case of US chipmaker Nvidia, which it reportedly tried to blackmail into removing mining hashrate limiters on certain graphics cards and open-sourcing its GPU drivers.
“Most of these attacks have targeted source code repositories allowing them to steal proprietary data,” Borja Rodriguez, threat hunting team lead at cybersecurity company Blueliv commented.
“Even security researchers cannot specify which (if any) ransomware strains the group uses, or how they are breaching these companies. Some of them believe that they recruit employees or insiders that can give them access to any telecommunications companies, large software/gaming corporations, call centers or big server hosts; and also using phishing to gain initial access.”
The Daily Swig has contacted Okta for further comment. We will update this article should we receive a response.