At a glance.
- Okta, Inc. hit by Lapsus$ group.
- Report: private medical data possibly exposed by Doctors Me.
Okta, Inc. hit by Lapsus$ group.
Having already taken credit for recent attacks on high-profile targets like Samsung, Nvidia, and Ubisoft, the Lapsus$ extortion gang strikes again. This time the victim is US identity management firm Okta, Inc., provider of user verification software to over 15,000 customers across the globe. On its Telegram channel Tuesday, Lapsus$ posted screenshots of data the gang had allegedly stolen from Okta’s system by acquiring unauthorized access to a super-user administrative account, CRN Australia reports. “For a service that powers authentication systems to many of the largest corporations (and FEDRAMP approved) I think these security measures are pretty poor,” the threat group bragged. At first, the Wall Street Journal reports, Okta claimed the screenshots were from a January breach that had already been addressed. Okta co-founder and CEO Todd McKinnon stated on Twitter, “In late January 2022, Okta detected an attempt to compromise the account of a third-party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor.” Despite Okta’s attempts to downplay the breach, Forbes notes that some customers expressed their frustration that this was the first they were hearing of the incident, despite two months having passed since its discovery. Matthew Prince, CEO of Cloudflare, even posted a tweet indicating that his firm was considering replacing Okta as their single sign-on tech provider, stating, “Okta is one layer of security. Given they may have an issue we’re evaluating alternatives for that layer.”
By Wednesday morning, however, Okta had changed its stance, posting a statement on the company website admitting that the data of a “small percentage” of their customers had been accessed and possibly exfiltrated. The full scope of the breach is still unclear, but security experts say that if Lapsus$ did, in fact, infiltrate an administrative account, the incident could be on par with last year’s massive attack of IT management platform SolarWinds. Independent security researcher Bil Demirkapi told Wired, “The idea is that the access controls to get to that Administrative panel would be very restrictive…The problem here is that it appears like Lapsus$ directly compromised an employee's machine, so even with those access controls they can just piggyback on the employees' access.” Reuters notes that the threat group says it has no interest in any internal Okta company data, but is solely targeting Okta’s extensive list of high-profile customers, household names like Fedex and Moody’s. Phobos Group founder Dan Tentler says Okta’s customers should "be very vigilant right now."
We also heard from Trellix, whose Principal Engineer Douglas Mckee offered some reflections on the implications of the Lapsus$ incident:
“Similar to 2020, when the world turned its attention to the devastating SolarWinds attack, we are continuing to see a large amount of emphasis by malicious actors on compromising critical IT infrastructure and supply chains.
"It appears the hacking group LAPSUS$ has been extremely active over the last few months with increasing activity against large well-known targets. LAPSUS$ has a strong reputation for successful breaches with the same pattern of stealing intellectual property such as source code. This morning, March 22nd LAPSUS$ stated that they have struck again and breached Okta, an Access Management provider. This is just days after they announced breaching Microsoft’s Azure DevOps portal and only two-hours after announcing their second compromise in a year of LG Electronics.
"On March 10th, LAPSUS$ posted on their Telegram recruitment channel they were looking to purchase, from insiders, credentials for several types of large businesses such as telecommunication companies like ATT and Telefonica, and large software companies like Microsoft and Apple. While unverified, LAPSUS$ active solicitation to buy insider credentials through dedicated telegram channels likely has contributed to their success.
"The biggest concern is LAPSUS$’s claim that the group has breached Okta. In LAPSUS$’s statement, they claim to have access to a Superuser/Admin account which could allow them to reset any customer user account of their choosing. This could include resetting passwords, assigning temporary passwords, and resetting multifactor authentication. If true, the impact of this access could be devastating, considering Okta has a customer base of more than 15,000 customers.
"Our industry is often over-focused on ransomware and the corresponding bad actors which hold critical data hostage for financial gain. LAPSUS$ has continued to show they have little to no interested in deploying ransomware but do have a large focus on extortion. They show a pattern of announcing a breach with screenshots to identify their access and then dropping stolen data days later. It is hard to confirm LAPSUS$ true motivations in these attacks with the current publicly available data. They have stated themselves they are not political based in nature, and it has yet to be revealed if financial demands have been made in the most recent breaches.”
Ido Safruti, Co-Founder and CTO at PerimeterX, sees the incident as representing, at one level of abstraction, an application security issue:
“Modern web applications are no longer completely built in-house. Instead, organizations leverage components from partners and open source libraries, including services like authentication.
"Generally speaking, this is a good idea as it allows for specialization, as well as the use of a company’s limited development resources to focus on differentiated capabilities unique to their business. However, when you outsource these components, you lose a lot of control. This means that you have to have a lot more visibility to control what you do see. Unfortunately, when it comes to most web applications there is a “post login wasteland” wherein organizations focus on protecting the login itself, but have no visibility into activities post login. In the case of a threat actor using valid login credentials or access tokens that they have stolen or acquired, this can lead to abuse and fraud.
"This incident is a further reminder of software supply chain risks: a compromise or vulnerability in a third party piece of code could potentially lead to severe consequences. In fact, 70% of the code on most websites come from third parties and most organizations do not have the ability to detect changes to them or to take mitigating action. Thankfully, this time it appears to be a false alarm, but what if it wasn’t? And what about next time? We strongly advise organizations to ask themselves whether they have the tools and capabilities to notice and take action on changes, potential risks and anomalies in their supply chain, and analyze the behavior of users on their website. Using a multi-tiered approach that looks at the entire attack lifecycle from data theft and harvesting, through validation and then account fraud, can provide indications of account takeover activity, and prevent it regardless of the method the attacker used to get in.”
Demi Ben-Ari, CTO, Co-Founder and Head of Security for Panorays, emailed some advice on dealing with the incident if you're an Okta customer:
"Today’s Okta breach puts thousands of organizations around the world at risk. Lapsus$’s MO revolves around compromising employee credentials or buying off insiders to exfiltrate customer data under the guise of a legitimate user. The group claims to have acquired “superuser/admin” access with the intent to compromise customer info, meaning that every customer (+15,000 organizations) using Okta’s services directly or is a third party using the solution will be affected. Lapsus$’s attack will affect Okta’s internal data alongside the identities managed by customers both on-premises and in the cloud. To mitigate risk, companies should:
- "Identify if your organization (or third-party partners) are using Okta as an IdP via a third-party risk management program
- "Configure a shorter user session expiry period within Okta
- "Activate identity enforcement policies (via an authenticator app)
- "Unprovision any unused identities/users in the organization
- "Enable notifications for new sign-ins, new factor enrollment and factor resets
- "Communicate employee need for extra vigilance and notify security admins about upticks in phishing/social engineering attempts
- "Be alert for future updates from Okta about the compromise and leverage other security tools within your organization to ID suspicious activity."
Jon Hencinski, director of global operations with Expel, with the due caution appropriate to any developing story, also wrote with advice to affected organizations:
“While the situation surrounding the reported breach of Okta by LAPSUS$ is still developing, there are a few precautionary actions you can take immediately to protect yourself and your organization. This includes rotating privileged Okta passwords and Okta-generated tokens and reviewing Okta admin authentications and activity for the past four months.
"Review configuration changes to ensure they align with expected activities and sources. Review admin authentications and ensure they originate from expected sources based on the source user. Identify any Okta accounts where multi-factor authentication (MFA) was disabled during the same time period and determine the user and root cause of that disablement — then re-enable MFA for those accounts. Throughout this process, communicate transparently what you’re doing and have done with your internal and external stakeholders. This is also an opportunity to stress-test your incident response plan (IRP). And if you don't have an IRP — create one, then test it and test it again. Fortune favors the prepared.”
Report: private medical data possibly exposed by Doctors Me.
The cybersecurity team at SafetyDetectives claims to have discovered a data leak at Doctors Me, a Japanese Q&A website that allows users to upload info and images about their ailments in order to receive professional medical advice. Researchers found an unsecured Amazon S3 storage bucket containing the sensitive data of approximately 12,000 people, including images of minors. Though all of the data provided by users is uploaded anonymously, individuals could be identified through images of their faces. Doctors Me and the Japanese Computer Emergency Response Team (CERT) were notified of the breach when it was discovered in November, and CERT has responded that they’ve reached out to Amazon Web Services to secure the database.