On March 21, early social media reports began circulating that the identity and access management provider Okta had suffered a data breach by the threat actor known as Lapsus$, resulting in exposure to customer data and environments.
These early reports were compiled screenshots of supposed customers, which might not appear credible under normal circumstances. However, because these claims were made by Lapsus$ who had already attacked multiple organizations, including Samsung, Impresa, Mercado Libre, Ubisoft, Nvidia, and Microsoft, pressure mounted on Okta to investigate.
On March 22, responding to the claims that it had been breached, Okta’s CEO Todd McKinnon clearly stated that the claims were false and the screenshots were related to an earlier security event that had been contained without impact.
Okta later released official statements that denied the service had been breached.
In the afternoon of March 22, Forbes reporter Thomas Brewster mentioned that an Okta sub-processor who had access to Okta’s environment had confirmed part of the breach. His later reports indicated that the dwell time the attacker had was nearly a week.
Late in the evening of March 22, Okta finally confirmed the data breach. Many customers were impacted by a compromised Sitel laptop with access to an internal “SuperUser” support application that granted access to customer environments.
“…We have determined that the maximum potential impact is 366 (approximately 2.5% of) customers whose Okta tenant was accessed by Sitel…” — Okta.com
However, corporate communication from Okta was not aligned, and Okta customers were still being notified that there was no impact.
What is the Impact?
Given the pressure an organization experiences when undergoing an incident investigation, the need to give assurances is common. But in such cases, false assurances can damage user trust.
Okta is a leading identity provider for over 15,000 customers and a leader in identity and access management services. It also provides services to the Department of Defense and many other federal, state, and local agencies.
There is a tradeoff in trust when considering impact in zero-trust models and identity and access management systems. That tradeoff is trusting the identity and access management more than the end-users. This creates an attack surface monoculture — a classic scenario of “all your eggs in one basket.”
As Steve Weber, an opinion contributor for TheHill.com wrote:
“Would you rather go after a very large and uniform target, with a monoculture where everyone is working on the same platform and doing the same thing? Or a somewhat more irregular and diverse landscape where not everything looks the same, and you have to understand local variations in the attack surface, which are likely also to be changing in different directions and at different rates? It’s not only good actors who like and benefit from scale. It’s bad actors, too, and in an offense-dominant environment, certain kinds of scale are better for bad actors than good ones.”
As of this writing (March 23), the impact is still unknown. However, because the Okta breach could potentially compromise your systems and customer data, Modus Create recommends a vigilant approach.
What Action Should You Take?
If you are an Okta customer, take the following precautionary measures:
1. Change passwords on all admin accounts
Changing passwords on admin accounts will reduce your risk of exposure.
2. Pay attention to Okta notification emails
This is an evolving incident, and Okta will provide further guidance.
3. Review your logs for the following actions
- New admin accounts creations
- New access patterns such as users attempting to access applications they’ve never tried before
- Access from uncommon geolocations. For example, if your staff is based in the US, scrutinize access from other geological locations.
- New MFA token attachments to accounts
4. Cover the basics
- Install an AV/EDR solution on all centrally managed endpoints.
- Ensure endpoint hard disks are encrypted.
- Be hyper-aware of phishing attempts. Ensure employees know how to report phishing so you can respond to it.
- Ensure employee network access is secure and protected using VPNs.
- Train employees on how to report lost or stolen devices.
- Mandate all accounts have MFA enabled. If possible, use a software-based authentication tool such as Google Authenticator rather than SMS. This specific threat actor is known to use a technique known as “SIM Jacking,” which bypasses SMS-based two-factor authentication mechanisms.
- Patch the endpoints and install the latest updates.
- Ensure employees know how to report anything suspicious, and foster a sense of community so that employees know that their reports are welcome. Attackers are using new tactics to try and gain access, and your employees can alert you to attempts to scam, extort, or bribe access to your environment.
- Security Assessment: Introduction, Process, and More
Learn more about our approach and process to a security assessment. Identify risks and get…
- How DevSecOps Can Help Mitigate the Next Log4j Vulnerability
This post will show you how adopting DevSecOps practices can mitigate vulnerabilities in libraries like…