Okta, an identity and access management company which provides cloud software to manage and secure user authentication when accessing applications, is looking into claims of a breach of customer data. On Tuesday, Lapsus$ posted screenshots claiming to be from Okta's internal systems. Those claims include Cloudflare, an Okta customer.
The claim from Lapsus$, which has just recently become a prominent ransomware actor, is potentially serious because Okta offers single sign-on authentication that logs into multiple customer services.
Lapsus$ recently succeeded in a widely-reported attack on Nvidia, stealing the credentials of more than 71,000 Nvidia employees as well as potentially damaging source code.
Okta said on Tuesday that the Lapsus$ attack is related to a prior event in January.
“In January 2022, Okta detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider. As part of our regular procedures, we alerted the provider to the situation, while simultaneously terminating the user’s active Okta sessions and suspending the individual’s account.”
--Okta statement, March 22, 2022
In response Okta retained a data forensics firm, which issued a report.
“The report highlighted that there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop. This is consistent with the screenshots that we became aware of yesterday,” Okta said in a statement.
“The potential impact to Okta customers is limited to the access that support engineers have,” the company added.
Lapsus$ challenges Okta comments
On its Telegram channel, Lapsus$ claims to have had “Superuser/Admin” access to Okta’s systems for two months, not only five days, according to a report at The Verge. Lapsus$ also stated that it “had access to a thin client rather than a laptop, and claims that it found Okta storing AWS keys in Slack channels,” according to the report.
The hacker group made it clear that the target is Okta’s customers.
"BEFORE PEOPLE START ASKING: WE DID NOT ACCESS/STEAL ANY DATABASES FROM OKTA," the Lapsus$ Telegram post stated. "Our focus was ONLY on okta customers."
Okta has over 15,000 customers around the world, according to the Wall Street Journal, including Fedex, Moody’s, Peloton, T-Mobile, and Hewlett-Packard.
Lapsus$ went to say (via Ars Technica):
"I'm STILL unsure how it's [an] unsuccessful attempt? Logged in to superuser portal with the ability to reset the Password and MFA of ~95% of clients isn't successful?"
"The potential impact to Okta customers is NOT limited, I'm pretty certain resetting passwords and MFA would result in complete compromise of many clients systems."
Lapsus$ posted eight screenshots. One appeared to show someone logged into a dashboard belonging to Cloudflare, as reported by Ars Technica. Another image appeared to show a password change for a Cloudflare employee.
Cloudflare CEO Matthew Prince responded saying that Okta “may have been compromised” but “there is no evidence that Cloudflare has been compromised. Okta is merely an identity provider for Cloudflare. Thankfully, we have multiple layers of security beyond Okta, and would never consider them to be a standalone option.”
Don't put your eggs in one basket
“What makes this more disturbing is that so many businesses are dependent on one human identity provider—putting all their eggs in one basket. We have seen this with previously with the Solarwinds follow-on attacks which breached Office 365—the ripple just keeps spreading,” said Kevin Bocek, VP, Ecosystem & Threat Intelligence at Venafi.
“Looking at Lapsus specifically, they have a history of abusing machine identities and using their understanding of development environments to their advantage. This puts in jeopardy the very system of trust that enables machines to communicate and software to run,” Bocek said.
“We can’t have development teams that work with no involvement from security. Equally we cannot expect security to understand the intricacies of development environments. We need a new breed of development that can bridge the gap and enable security at speed,” he added.
Okta updated its comments on Wednesday, saying that "We have determined that the maximum potential impact is 366 (approximately 2.5% of) customers whose Okta tenant was accessed by Sitel."
The update went on to say:
"Our investigation determined that the screenshots, which were not contained in the Sitel summary report, were taken from a Sitel support engineer’s computer upon which an attacker had obtained remote access using RDP."
“This device was owned and managed by Sitel. The scenario here is analogous to walking away from your computer at a coffee shop, whereby a stranger has (virtually in this case) sat down at your machine and is using the mouse and keyboard. So while the attacker never gained access to the Okta service via account takeover, a machine that was logged into Okta was compromised and they were able to obtain screenshots and control the machine through the RDP session.”