While it’s a relief to know the impact is limited, organizations need to be aware of the potential threat of the Lapsus$ cyber gang.

Authentication services company Okta said on Tuesday that it was investigating a report of a digital breach after hackers posted screenshots of what they claimed were its internal company environment.

The screenshots were posted by a group of ransom-seeking hackers known as Lapsus$ on their Telegram channel late on Monday.

While there were initial fears that the hack at Okta could have potential major consequences because thousands of other companies rely on the identity and access management (IAM) solution provider to manage access to their own networks and applications, the latest update from David Bradbury, Chief Security Officer, Okta, was that the Okta service has not been breached and that no corrective actions need to be taken by Okta customers. 

In his blog statement, Bradbury explained: “In January 2022, Okta detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider. As part of our regular procedures, we alerted the provider to the situation, while simultaneously terminating the user’s active Okta sessions and suspending the individual’s account.”

Following those actions, Okta then shared pertinent information – including suspicious IP addresses – to supplement the investigation by a third-party forensics firm.

“Following the completion of the service provider’s investigation, we received a report from the forensics firm this week,” said Bradbury.

The report highlighted that there was a five-day window between 16 and 21 January 2022, when an attacker had access to a support engineer’s laptop. Bradbury said: “This is consistent with the screenshots that we became aware of yesterday.”

Limited impact

Based on this latest statement, the potential impact to Okta customers should be limited only to the levels of access that support engineers have.

“These engineers are unable to create or delete users, or download customer databases,” Bradbury explained. “Support engineers do have access to limited data – for example, Jira tickets and lists of users – that were seen in the screenshots. Support engineers are also able to facilitate the resetting of passwords and multi-factor authentication factors for users, but are unable to obtain those passwords.”

While Okta and its partners are actively continuing the investigation, including identifying and contacting customers that may have been impacted, the company says there is no impact to Auth0, HIPAA and FedRAMP customers.

Potential impact

Lotem Finkelsteen, Head of Threat Intelligence and Research at Check Point Software, describes Lapsus$ as a South American cyber gang threat actor that has recently been linked to cyber-attacks on some high-profile targets, known for extortion by threatening the release of sensitive information if its demands are not met.

“The group has boasted breaking into Nvidia, Samsung, Ubisoft and others,” he said. “Thousands of companies use Okta to secure and manage their identities. This means in practice that Okta manages vast amounts of users globally. Compromises of this magnitude can have a severe impact globally and create a chain reaction in enterprises in which the identities of their employees and contractors are potentially compromised.” 

Finkelsteen advised: “If you are an Okta customer, we strongly urge you to exercise extreme vigilance and cyber safety practices. The full extent of the cyber gang’s resources should reveal itself in the coming days…. The breach at Okta may explain how Lapsus$ has been able to achieve its recent string of successes.”

Jonathan Knudsen, Senior Software Strategist, Synopsys Software Integrity Group, commented: “Lapsus$ has been busy lately, but its activities should not be surprising. The software attack surface for most organizations is large and porous, yielding an asymmetry of bountiful rewards for relatively low effort.”

“Based on the scope and frequency of attacks, Lapus$ appears to be a well-resourced organization, likely backed by organized crime or a nation-state,” he added.

Knudsen emphasized that organizations of all types must recognize that software risk is business risk and take appropriate action. “Software is the critical infrastructure for the modern world. Software is at the heart of nearly everything — businesses, healthcare, power, water treatment, manufacturing, transportation, etc. Consequently, the abuse of software can help criminals gain wealth, or help nation-states gain geopolitical advantage.” 

“While software has brought transformative power to all industries, risk must be managed properly,” he said. “Enterprises should take note of recent skullduggery and adjust their priorities and processes to drive software supply chain risk to tolerable levels.”

Managing software risk means including security at every stage of the software supply chain, everything from a concept through to the people or systems that use an application, said Knudsen. “Furthermore, even with the best possible defenses, some attacks will always be successful. Incident response and business continuity plans and execution are just as important as defensive measures.”