Another big fish goes down – This time Okta! – Enter Lapsus$ group!

Since the last 2 days, Okta has been on the radar confirming a possible data breach. Microsoft has confirmed the data breach and it seems the Okta support staff’s laptop was hacked as early as January this year. Microsoft has confirmed that one of their employees was compromised by the Lapsus$ hacking group, allowing the threat actors to access and steal portions of their source code. Okta is one of the biggest players in the Identity and Access Management arena with SSO being one of its attractive features employed by organizations worldwide. Check the full article below to understand the Okta breach, Lapsus$ group and news from Microsoft about the impact of the breach including TTPs

Source : Reference

Ransomware groups have become all around oiled moneymaking machines as they continue aspiring for criminal benefit. In any case, since December, an apparently new gathering called Lapsus$ has added tumultuous energy to the field, frolicking about with a solid virtual entertainment presence on Telegram, a line of high-profile casualties including Samsung, Nvidia, and Ubisoft-catastrophic breaks, and emotional allegations that amount to a wild acceleration in a generally illegitimate industry. The highlight of the group that marks them unique in comparison with other ransomware groups is that it exclusively focus on the data theft and extortion exclusively focus on the data theft and extortion instead of the routine gig. Furthermore, the attack is achieved through a series of phishing attacks then steals the most sensitive data it can find without deploying data-encrypting malware. [Reference]

Microsoft on Tuesday confirmed that the LAPSUS$ extortion-focused hacking crew had gained “limited access” to its systems, as authentication services provider Okta revealed that nearly 2.5% of its customers have been potentially impacted in the wake of the breach. MSTIC confirmed that “No customer code or data was involved in the observed activities.” Additionally, the breach was facilitated by means of a single compromised account that has since been remediated to prevent further malicious activity. The San Francisco-based cloud software firm also said it’s identified the affected customers and that it’s contacting them directly, stressing that the “Okta service is fully operational, and there are no corrective actions our customers need to take.” Cloud flare also added the attacker would also need to change the hardware (FIDO) token configured for the same user and not just change a users’ password.

Microsoft described LAPSUS$ as a group following a “pure extortion and destruction model without deploying ransomware payloads” and one that “doesn’t seem to cover its tracks.” Other tactics adopted by the crew include phone-based social engineering schemes such as SIM-swapping to facilitate account takeover, accessing personal email accounts of employees at target organizations, bribing employees, suppliers, or business partners of companies for access, and intruding in the ongoing crisis-response calls of their targets to initiate extortion demands. [Reference]. Following initial access, the group is known to exploit unpatched vulnerabilities on internally accessible Confluence, JIRA, and GitLab servers for privilege escalation, before proceeding to exfiltrate relevant information and delete the target’s systems and resources.

In response to Okta’s statements today, the Lapsus$ group shared their part of the story saying that they did not compromise an Okta employee’s laptop but their thin client To mitigate such incidents, Microsoft is recommending organizations to mandate multi-factor authentication (but not SMS-based), leverage modern authentication options such as OAuth or SAML, review individual sign-ins for signs of anomalous activity, and monitor incident response communications for unauthorized attendees. Additionally, some more steps advised are as follows:

·  Leverage modern authentication options for VPNs

·  Strengthen and monitor your cloud security posture

·  Improve awareness of social engineering attacks

·  Establish operational security processes in response to DEV-0537 intrusions

Published by The Art of Cyber-Space

I am a security professional specializing in network security. With vivid experience in different industries, I am looking to explore the current cyberspace and discuss the ideology of neuroscience and neurotechnology research from a security perspective. I love exploring various blog posts and share knowledge about the current threat landscape to instill more cybersecurity awareness.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: