WithSecure Okta Threat Update

WithSecure is aware that a threat actor has claimed to have compromised the identity provider Okta. The threat actor, known as the LAPSUS$, claimed on their Telegram channel to have accessed Okta and provided screenshots showing access to what appear to be internal systems of Okta. The screenshots all appear to show the date of the 21st of January 2022. WithSecure cannot independently verify these screenshots, but the CEO of Okta posted tweets[1] appearing to confirm that a support engineer at a sub-processor had been compromised around that time. The threat actor[2] and Okta seem to confirm in their posts that this access is no longer present.

The LAPSUS$ threat actor has claimed that they have not dumped any databases from Okta and have instead their focus was on Okta's customers, which contains a number of high profile organizations globally. There is a screenshot included in their dump that appears to show the actor with access to an account that would allow them to reset its password, generate a temporary password, reset Multi-Factor Access (MFA), and alter groups of the account.

The LAPSUS$ threat actor appears to operate a financially motivated data extortion model, where they will steal data from organizations and demand payment not to release this data publicly. They have reportedly been involved in a number of high profile breaches that has included Microsoft, NVIDIA, Samsung, and Ubisoft[3] (WithSecure cannot independently confirm these).

Okta is commonly used by organizations to manage access to their cloud and SaaS applications. If true, the compromise of Okta poses a risk to organizations who use Okta or organizations whose suppliers use Okta. As the threat actor has posted screenshots of this access and has shown the ability to gain access to other high-profile organizations, whether related or not to this compromise, it is a credible risk that WithSecure recommends organizations should take proportionate steps to mitigate. WithSecure assess that it is likely that the main risk from the LAPSUS$ threat actor is the theft of data for extortion.

• If not already done, determine and document your exposure to Okta directly and through your suppliers/third-parties
• Determine from the exposure what critical data may be exposed, and focus mitigation and response actions around those systems
• Cycle any secrets or credentials related to the administration of Okta by your organization
• Preserve Okta logs since the start of the year to ensure no logs are lost due to limits or purging
• Review Okta logs related to the administration of Okta accounts and access for any signs of compromise or misuse since the start of the year[4]

• Review MFA related access for any Okta accounts to confirm if access has been added or tampered with since the start of the year
• Review all authentication logs related to Okta for any anomalous or malicious use since the start of the year
• Review logs that may show old accounts being re-enabled and passwords being reset
• Implement detection logic for malicious activity related to Okta. Some existing detection logic is in open source that can be used as a guide for this activity [5][6]
• Whilst no impact has been confirmed, it may be prudent to cycle all credentials related to Okta for your organization if the resulting impact of such activity is assessed to be low comparatively to the impact of the abuse of these credentials. In most instances this is unlikely to be actually warranted, but may be beyond the risk appetite of your organization to not do so.

[1] - https://twitter.com/toddmckinnon/status/1506184721922859010

[2] - https://twitter.com/_MG_/status/1506109152665382920/photo/1

[3] - https://www.wired.com/story/lapsus-hacking-group-extortion-nvidia-samsung/

[4] - https://help.okta.com/en/prod/Content/Topics/Reports/Reports_SysLog.htm  

[5] - https://github.com/elastic/detection-rules/tree/main/rules/integrations/okta  

[6] - https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta