Okta investigates claims by Digital Extortion Gang LAPSUS$

March 23, 2022

This week’s Cloud Security News is brought you by JupiterOne and Hunters – Click on their names to find out more about them.

  • You have probably heard some rumblings or large noises this week about Okta, and Microsoft and something Lapsus$. So what is it all about? Well Okta is quite a well known identity and access management platform used by thousands of large organizations. And if you want to know more about Identify and Access management you can head over to our episodes earlier this year on the IAM month. 
  • On Monday, Lapsus$ which is a digital extortion gang – which really means that their  focus on data theft and extortion published a series of  shocking posts in its Telegram channel. First, the group dumped what it claims is extensive source code from Microsoft’s Bing search engine, Bing Maps, and Cortana virtual assistant software. Followed by screenshots apparently taken on January 21 that allegedly show Lapsus$ in control of an Okta administrative or “super user” account. As you can imagine this is rather alarming. 
  • Microsoft shared in their company blog this week that “No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access.” – They confirmed that their cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity. They also shared that  Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk. They have shared quite a detailed security blog around how Lapsus$ targets organisations and recommendations to further strengthen and monitor your cloud security posture against such attacks. They recommend reviewing your Conditional Access user and session risk configurations, configuring your alerts to prompt a review on high-risk modification of tenant configuration and reviewing risk detections in Azure AD Identity Protection. You can read Microsoft’s security blog here.
  • Okta continues to maintain that Okta service has not been breached and remains fully operational and there are no corrective actions that need to be taken by our customers. They have shared that in January 2022, Okta detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider. As part of their regular procedures, they alerted the provider to the situation, while simultaneously terminating the user’s active Okta sessions and suspending the individual’s account. They have confirmed that they conducted a thorough investigation and found that a small percentage of customers – approximately 2.5% – have potentially been impacted and whose data may have been viewed or acted upon. They have identified those customers and are contacting them directly. If you are an Okta customer and were impacted, they have already reached out directly by email. You can read their statement   here 
  • In response to this, one of Okta’s customer Cloudflare which is a web infrastructure and website security company that provides content delivery network and DDoS mitigation services, their CEO and Co-Founder Matthew Prince tweeted – We are resetting the Okta credentials of any employees who’ve changed their passwords in the last 4 months, out of abundance of caution. We’ve confirmed no compromise. Okta is one layer of security. Given they may have an issue we’re evaluating alternatives for that layer.

In other news, AWS has recently shared that it is aware of an issue present in OpenSSL versions 1.0.2, 1.1.1, and 3.0 in which a certificate containing invalid explicit curve parameters can cause denial of service (DoS) by triggering an infinite logic loop. This issue was eliminated in the subsequent releases of OpenSSL. AWS is aware of this issue and is actively investigating for impact to AWS services. This could be of relevance to Elastic Load Balancer,  Amazon EC2, AWS OpsWorks, AWS Elastic Beanstalk and Amazon CloudFront if we reflect back to AWS ​​OpenSSL Vulnerability from 2014.

Recommend a topic

Partner with us

Join the team

Enjoying our content? Don't forget to subscribe!