The hacking group Lapsus$ first emerged in December, alleged to have stolen source code and other valuable data from increasingly prominent companies, including Nvidia, Microsoft, Samsung, and Ubisoft. They have backed up their claims by leaking portions of critical code in apparent extortion attempts. Early investigations by security researchers broadly reported they seemed to be using phishing to compromise their victims. Now it seems possible that some of those high-profile breaches stemmed from the group’s Okta compromise.
What do we know as of 5pm 3/22/2022:
Lapsus$ today corrected the claim by Okta that a laptop was compromised stating they had “access to a thin client rather than a laptop” and “that it found Okta storing AWS keys in Slack channels”.
What Should You Do?With the idea that this is an evolving situation and we could learn more that requires additional action, CyberHoot is making the following early recommendations for anyone using Okta for their Identity and Access Management needs:
- Investigate your Okta System Log for the following two events to see if any entry by an Actor that is not one of your own administrators has occurred. Be on the lookout for a tenant marked as “Okta System” or “firstname.lastname@example.org”. Be especially diligent in looking for deactivations or password update actions.
- eventType eq “user.mfa.factor.deactivate”
- eventType eq “user.account.update_password”
- Consider revoking Okta Support access until further notice. It was a super engineer account used to disable MFA and reset a password that may have led to these other breaches mentioned above.
- Keep in contact with Okta to see if they change their recommendations on defensive measures as they emerge. Ensure you have Two-Factor Authentication (2FA/MFA) enabled for users accessing Okta authenticate services before they can go elsewhere.
- Put Access Control Lists (ACLs) limiting administrative access to Okta admin console from only your own company’s locations to prevent random internet users from connecting in. This may require careful testing and VPN access consideration for remote users.
- Ensure your network activity monitoring is enabled and pay close attention to authentication against internal systems.
- Ensure staff is alerted to this Okta breach and pay attention to suspicious activity.
- Restrict access to all your Remote Management Tools to Internal IPs alone.
- Consider removing Administrative rights to employees for their day-to-day use and instead limit admin rights for the time being.