On Tuesday morning (22), screenshots allegedly attributed to the internal system of Okta, a provider of corporate authentication services, were published on the channel of the Lapsus$ group, responsible for confirmed intrusions by tech giants in recent weeks.
In the message, they claim to have acquired “superuser/Admin” access to Okta.com, in addition to other systems, which would give them access to the target company’s customer data. At the end of the message, the group claimed not to have accessed or stolen the database: “our focus was only on Okta customers”, he wrote.
The publicly traded company valued at US$6 billion employs more than 5,000 people and provides software services to large companies such as Siemens, ITV, Pret a Manger, Starling Bank, among other companies, as well as universities and government agencies around the world. . Okta said it was investigating the case.
When evaluating the screenshots released by the group, cybersecurity experts consulted by the Reuters said they “definitely believe it’s trustworthy.”
Chris Hollis, Okta official, commented in a statement that the shared screenshots are connected to “this” January event. “Based on our investigation to date, there is no evidence of continued malicious activity beyond the activity detected in January,” he said. The statement was confirmed by Todd McKinnon, CEO and co-founder of Okta, on Twitter.
In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. (1 of 2)
— Todd McKinnon (@toddmckinnon) March 22, 2022
They refer to the system date visible in some screenshots, which is set to January 21, 2022. This could indicate that the hack may have taken place months ago and has only now become public.
Supplier denies violation and Lapsus$ mocks: “I really enjoy the lies presented by Okta”
After claiming completion of investigations into the breach case claimed by the Lapsus$ group, Okta stated that its service has not been breached and remains fully operational. “There are no corrective measures that need to be taken by our customers,” David Bradbury, the company’s CSO, wrote in an blog post.
“The report highlighted that there was a five-day period between January 16 and 21, 2022, where an attacker had access to a support engineer’s laptop. This is consistent with the screenshots we became aware of yesterday. The potential impact for Okta customers is limited to the access that support engineers have. These engineers cannot create or delete users, or download customer databases. Support engineers have access to limited data – for example Jira tickets and user lists – that were seen in screenshots. Support engineers are also able to make it easier for users to reset passwords and AMF factors, but they can’t get those passwords,” Bradbury explained.
Upon learning of the statement, the group countered with several questions and ironically saying that they “appreciate the lies presented by Okta”. Below is the translated message in full.
- Haven’t we compromised any laptops? It was a small client.
- “Okta detected a failed attempt to compromise the account of a customer support engineer working for a third-party vendor.” – Am I STILL uncertain about a failed attempt? Logged into the super user portal with the ability to reset the Password and MFA of ~95% of customers not successful?
- For a company that supports Zero-Trust. Do support engineers seem to have excessive access to Slack? 8.6k channels?
- Support engineers are also able to make it easier for users to reset passwords and AMF factors, but are unable to obtain these passwords. – Uhm? Hope no one can read passwords? not just support engineers, LOL. – are you implying that passwords are stored in clear text?
- Do you claim that a laptop has been compromised? In that case, *what suspicious IP address* do you have available to report?
- Potential impact for Okta customers is NOT limited, I am sure that resetting passwords and MFA would result in total compromise of many customer systems
- If you are committed to transparency, why not hire a company like Mandiant and PUBLISH the report? I’m sure it would be very different from your report 🙂
21. Security breach management. a) Notification: In the event of a security breach, Okta notifies customers affected by such security breach. Okta cooperates with an impacted customer’s reasonable request for information regarding such security breach, and Okta provides regular updates on any security breach and the investigative and corrective measures taken.
But customers only found out today? Why wait so long?
- Access Controls. Okta has policies, procedures and logical controls in place that are designed to:
B. Controls to ensure that all Okta personnel who are granted access to any customer data are based on principles of least privilege;
- Safety rules. Okta’s ISMP includes adherence to and regular testing of your ISMP’s key controls, systems and procedures to validate that they are properly implemented and effective to address identified threats and risks. Such tests include: a) Internal risk assessments; b) ISO 27001, 27002, 27017 and 27018 certifications; c) NIST orientation; and d) SOC2 Type II (or successor standard) audits performed annually by accredited third-party auditors (“Report Audit”).
I don’t think storing AWS keys in Slack would meet any of these standards?