LAPSUS$ Criminal Group Announces Compromise of Okta, Microsoft

On Monday, March 21st the cybercrime group Lapsus$ posted screenshots on its Telegram channel claiming it had access to a number of Okta systems since at least January 21st of this year.?

Okta is a company providing widely used Multifactor Authentication (MFA) and Identity Management (IdM) software. The company said it had “detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors” in January, but had found “no evidence of ongoing malicious activity.”

If true, this is serious. Okta (and other MFA solutions) are part of the foundation underlying security programs at organizations.

For my fellow defenders, here are some initial priorities related to the (potential) Okta Breach:

• If you are an Okta MFA customer, conduct a risk assessment of your multi-factor implementation. In particular, consider any administrator accounts that may be tied into MFA. It may be necessary to de-couple administrator accounts from MFA and to use unique, strong passwords instead.
• Some organizations use Identity Management features of Okta for new account creation. Review any accounts created by Okta in the last 90 days to determine if any account creation activities are suspicious. You should also conduct additional monitoring of these account creation activities in the future.
• Consider and prepare stringent configurations for outbound internet access at your corporate or cloud firewalls. In the event of a widespread incident involving Okta, it may be necessary to lock down outbound internet access to a minimum and defined set of services.
• Consider options for increased logging and monitoring. If you are using a SIEM to collect logs, here are some resources to begin evaluating your Okta logs: https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta https://github.com/elastic/detection-rules/tree/main/rules/integrations/okta
• Review “app.generic.provision” events to identify any users granted access to other apps.
• Review “security.threat.configuration.update” to see any changes made to Okta’s behavioral threat detection.
• Advise employees to be aware of potential phishing emails from Okta.
• Risk assess and consider third parties that may manage and have access to your systems. To what extent might an MFA breach bring risk to your organization?

Separately, Lapsus$ has also posted concerning messages indicating that they may have had similar administrative access within Microsoft. The Lapsus$ group claims to have compromised the source code for Bing, Cortana, and other projects stolen from Microsoft’s internal Azure DevOps server. Early Sunday morning, Lapsus$ posted a screenshot purportedly containing source code for Bing, Cortana, and various other internal projects.

Lapsus$ has previously conducted successful attacks against Samsung, NVIDIA, the Brazilian Ministry of Health, South American telecommunications organizations, and Portuguese media corporations.

Finally: As an Okta customer, you should closely monitor the development of this incident for additional details and risks as they emerge.