Rewterz Threat Update – Okta Confirmed Security Breach by LAPSUS$ Group

Severity

High

Analysis Summary

LAPSUS$ Ransomware is a new and emerging ransomware group that has successfully attacked major conglomerate. Like most ransomware groups, LAPSUS$ also infiltrates organizations with a phishing attack. From there on, they exploit vulnerabilities like privilege escalation to get hold of administrative rights and blatantly display their abilities. LAPSUS$ Threat group has also breached Okta.

The organization’s CEO stated that they detected an attempt to compromise the laptop of one of their support engineers in January 2022. They also revealed that only 2.5% of their customers were impacted by the breach.

“Following the completion of the service provider’s investigation, we received a report from the forensics firm this week. The report highlighted that there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop. This is consistent with the screenshots that we became aware of yesterday.” reads the advisory published by the company. “The potential impact to Okta customers is limited to the access that support engineers have. These engineers are unable to create or delete users, or download customer databases. Support engineers do have access to limited data – for example, Jira tickets and lists of users – that were seen in the screenshots. Support engineers are also able to facilitate the resetting of passwords and multi-factor authentication factors for users, but are unable to obtain those passwords.”

LAPSUS$’s Response

I do enjoy the lies given by Okta.

• 1. We didn’t compromise any laptop? It was a thin client.
• 2. “Okta detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider.” – I’m STILL unsure how its a unsuccessful attempt? Logged in to superuser portal with the ability to reset the Password and MFA of ~95% of clients isn’t successful?
• 4. For a company that supports Zero-Trust. *Support Engineers* seem to have excessive access to Slack? 8.6k channels? (You may want to search AKIA* on your Slack, rather a bad security practice to store AWS keys in Slack channels)
• 5. Support engineers are also able to facilitate the resetting of passwords and MFA factors for users, but are unable to obtain those passwords. – Uhm? I hope no-one can read passwords? not just support engineers, LOL. – are you implying passwords are stored in plaintext?
• 6. You claim a laptop was compromised? In that case what *suspicious IP addresses* do you have available to report?
• 7. The potential impact to Okta customers is NOT limited, I’m pretty certain resetting passwords and MFA would result in complete compromise of many clients systems.
• 8. If you are committed to transparency how about you hire a firm such as Mandiant and PUBLISH their report? I’m sure it would be very different to your report.
• https://www.okta.com/sites/default/files/2021-12/okta-security-privacy-documentation.pdf *21. Security Breach Management. a) Notification: In the event of a Security Breach, Okta notifies impacted customers of such Security Breach. Okta cooperates with an impacted customer’s reasonable request for information regarding such Security Breach, and Okta provides regular updates on any such Security Breach and the investigative action and corrective action(s) taken.* – But customers only found out today? Why wait this long?
• 9. Access Controls. Okta has in place policies, procedures, and logical controls that are designed: b. Controls to ensure that all Okta personnel who are granted access to any Customer Data are based on leastprivilege principles; kkkkkkkkkkkkkkk 1. Security Standards. Okta’s ISMP includes adherence to and regular testing of the key controls, systems and procedures of its ISMP to validate that they are properly implemented and effective in addressing the threats and risks identified. Such testing includes: a) Internal risk assessments; b) ISO 27001, 27002, 27017 and 27018 certifications; c) NIST guidance; and d) SOC2 Type II (or successor standard) audits annually performed by accredited third-party auditors (“Audit Report”). I don’t think storing AWS keys within Slack would comply to any of these standards?

Impact

• Financial Theft
• Data Breach

Remediation

• Logging – Log your eCommerce environment’s network activity and web server activity.
• Passwords – Ensure that general security policies are employed including: implementing strong passwords, correct configurations, and proper administration security policies.
• Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
• WAF – Web defacement must be stopped at the web application level. Therefore, set up a Web Application Firewall with rules to block suspicious and malicious requests.
• Patch – Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Secure Coding – Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• 2FA – Enable two-factor authentication.
• Antivirus – Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using a multi-layered protection is necessary to secure vulnerable assets