When it comes to the Lapsus$ hacking group’s recent breach of Okta, the access management software company, our ears have been to the ground and our eyes locked onto the headlines. Okta has released multiple statements about the breach, and other unconfirmed sources have added to the story, which have only muddied matters. Here’s our executive summary of the events so far.

What is the Okta breach?

Firstly, what do Okta do? If you’ve ever used ‘Sign in with Apple’ or ‘Sign in with Google,’ then you’ve used some sort of access management to authorise your sign-in activity. Okta aims to provide this on a larger scale, allowing a single sign in option for a large number of industry applications and services such as Zoom, Google Workspace, Jira Software, Office 365, and more. If malicious actors managed to breach the security of a service like Okta, then it would potentially give them access to dozens of other websites.

Unfortunately for Okta and its users, the unthinkable happened earlier this year, and Lapsus$ is the group claiming to have compromised the software company. This name might already be familiar to some, as they’ve been in the news claiming to have compromised and leaked Microsoft’s source code, including 90% of the code for Bing and 45% of the source code for Cortana. Suffice to say, the Lapsus$ group is creating quite a stir in the cyber security scene - if the claims are true, they’ve compromised the data of two huge targets in quick succession.

How did the attack happen?

Microsoft have been tracking the activity of Lapsus$ under the name DEV-0537, and have described them as “known for using a pure extortion and destruction model without deploying ransomware payloads”. The group’s suspected to be based in Brazil, and although it originally targeted victims in the United Kingdom and South America, it’s since expanded its scope worldwide.

According to Microsoft, “their tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organisations; paying employees, suppliers, or business partners of target organisations for access to credentials and Multi-Factor Authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets.”

To gain access to systems, Lapsus$ has been observed using multiple methods:

• Paying users of target organisations to give them access (credentials and MFA)
• Stealing credentials and tokens using the Redline password stealer
• Searching for credentials within public code repositories
• By using criminal underground forums, purchasing session tokens and credentials

Lapsus$ has also been spotted advertising for rogue internal parties within organisations to provide credentials, MFA access, and other ways of accessing and compromising their potential victims’ networks. On the 10th of March 2022, they posted the following advertisement:

What did Okta do?

At the moment, Okta’s CSO, David Bradbury, claims that only 366 clients, or 2.5% of their customer base, have potentially been impacted. The Okta security team’s log analysis has provided that Lapsus$ gained access to the account of a support engineer. The engineer in question was from a third party company, Sitel, which provides Okta with contract workers.

We investigated the timeline shared by Bradbury and his team, and found that the initial activity occurred on the 20th of January 2022 at 23:18, when a Sitel user received a MFA access request from a new location. This request was blocked with a ticket, and was escalated as a security incident 28 minutes after its initial observation at 23:46. Okta were made aware of this shortly afterwards.

After relevant user account suspension and sessions were terminated, the Indicators of Compromise were sent to an undisclosed forensics firm. It wasn’t until the 10th of March that the report was created and dated, and another seven days had passed before Okta received the summary report of the incident.

On the 22nd of March 2022, Lapsus$ shared some screenshots of Okta’s internal systems online, claiming that they had managed to access Okta’s superuser account. Okta later confirmed that the images were real, and were related to the January incident.

The images below were posted on the Lapsus$ Telegram channel:

After the breach, Okta and Lapsus$ both released contradicting statements about the turn of events, which can be found below.

In Okta’s statement, which can be read here, David Bradbury claimed it was an unsuccessful attack and tried to downplay the events:

In the counter statement from Lapsus$, the hacking group boasted about what they’d done and went on to criticise Okta’s cyber security:

Okta has since reflected upon the timescale and its handling of the breach, and on the 23rd of March, David Bradbury stated, “I am greatly disappointed by the long period of time that transpired between our notification to Sitel and the issuance of the complete investigation report. Upon reflection, once we received the Sitel summary report we should have moved more swiftly to understand its implications.”

How the breach could impact you 

Something you might be asking yourself is: “if I don’t use Okta, why should I care?” Well, incidents such as these should be used as a learning process for everyone. If methods of compromise such as those used by Lapsus$, including bribery of employees, insider threats, and rogue trusted parties, continue to become more popular with threat actors, then your business could soon be on the receiving end of a similar cyber attack.

In the event that your company utilises third party providers such as Okta, or is currently thinking about getting involved with another similar business, we recommend ensuring a cyber security due diligence process is followed on their company prior to working with them. Make sure you know who you’re planning to work with, and understand the potential risks associated with the given tasks.

Ensure that all MFA events that appear to be out of the ordinary for a particular user are investigated completely (and promptly). Always be vigilant about attempts coming from new IP addresses and unfamiliar geolocations, at unexpected times. Microsoft has passwordless sign in capabilities now, which only requires an email and an MFA confirmation to allow a user access to your domain - an indication that it’s more important than ever to be monitoring MFA activity.

Last, but not least, ensure that parties with access to your infrastructure have the relevant training and policies in place to minimise the possibility of third party compromises affecting your own business.

Over the past week, UK police revealed that they’d arrested seven people in relation to Lapsus$, but if this development means the cybercrime gang will be stopped remains to be seen. Whether or not Lapsus$’ hacking days are over, their method of hacking isn’t new, and will likely be used by other groups before long. You can expect CSA to keep you apprised of any developments in the world of cyber attacks, and if you want to find out how we can help you strengthen your own cyber defences, you can get in touch with us today.