The digital extortion group Lapsus$ has caused a stir in the security world this week after it claimed to have gained access to an administrative account for Okta during an attack in late January 2022. Since so many companies use this platform as their go-to when managing cloud services, such attacks could have major implications for customers of theirs that rely upon it.
“First of all, who is Okta, and what do they do? Okta has been recognized by Gartner Inc. as a leader in the Magic Quadrant for Access Management for the fourth consecutive year. They are responsible for much of the identity management for companies such as Microsoft, Amazon Web Services (AWS), LinkedIn, HubSpot, Groupon to name a few. So, this hack can have serious repercussions throughout the industry”, said Anthony Buonaspina, BSEE, BSCS, CPACC, CEO and Founder of LI Tech Advisors.
Timeline of the January 2022 Okta Data Breach
“Companies like Okta, which provide MFA and authentication services for many companies and MSPs are at perilously high cybersecurity risk due to the potential rewards of a successful hack”, said Alexander Freund, Co-Founder, President, and CIO of 4it.
It seems that Okta did everything they possibly could during this incident. They quickly detected the breach, escalated it to their team, who contained and analyzed what happened for them to produce a final report on behalf of themselves as well as everyone else affected by these attacks.
“If you examine the timeline below, Okta did everything picture perfect in the handling of the incident. They quickly detected the breach, escalated it, contained it, and then worked with the third-party vendor to examine the impact and produce a final summary report. There does not appear to be anything that needs to be done on the part of their customers, but it might have been nice to get an official statement of what was done while the attacker had access to their systems”, said Freund.
Timeline of Events
- January 20, 2022, 23:18 – Okta Security received an alert that a new MFA factor was added to a Sitel employee’s Okta account from a new location.
- January 20, 2022, at 23:46 – Okta Security investigated the alert and escalated it to a security incident.
- January 21, 2022, at 00:18 – The Okta Service Desk was added to the incident to assist with containing the user’s account.
- January 21, 2022, at 00:28 – The Okta Service Desk terminated the user’s Okta sessions and suspended the account until the root cause of suspicious activity could be identified and remediated.
- January 21, 2022, at 18:00 – Okta Security shared indicators of compromise with Sitel. Sitel informed us that they retained outside support from a leading forensic firm.
- January 21, 2022 to March 10, 2022 – The forensic firm’s investigation and analysis of the incident was conducted until February 28, 2022, with its report to Sitel dated March 10, 2022.
- March 17, 2022 – Okta received a summary report about the incident from Sitel.
- March 22, 2022, at 03:30 – Screenshots shared online by LAPSUS$.
- March 22, 2022, at 05:00 – Okta Security determined that the screenshots were related to the January incident at Sitel.
- March 22, 2022, at 12:27 – Okta received the complete investigation report from Sitel.
Okta Attempts to Clarify Data Breach
Okta is a popular identity management platform, and many organizations use it as the gatekeeper to their suite of cloud services. Cyber breaches can have serious consequences, and organizations should take steps to protect themselves. If you are an Okta customer, you may have concerns about what actions, if any, you should take action to protect your data.
Okta said in a short statement early Tuesday morning that an attempt to compromise the account of one of its third-party customer support engineers had been detected, but they were able to contain it before any information was leaked. The head of security at Okta believes the screenshots posted by the digital extortionist group are connected to an incident in January, where they attempted to compromise a third-party customer support engineer’s account.
“Based on our investigation so far, there is no evidence suggesting malicious activity beyond what was detected during this period,” says Chris Hollis, who goes on to clarify why he thinks it could be related, saying: ‘We saw signs someone may have tried accessing his or her device through chat messages and links sent via email.’
The key here is that “Okta is still maintaining that nothing was breached or compromised. This can easily be a case of a hacker group attempting to make a name for themselves. Okta could be attempting to save face here, but the reality is that nothing has been confirmed by Okta. At this point, it’s a great reminder to validate a third-party’s security measures when inviting them to be a part of your company”, said Nick Martin, Director of Managed Services, of Mainstreet IT Solutions.
Martin continued, “This recent event reminds IT personnel everywhere that vendors are critical to their operations. Okta operates with thousands of partners that rely on them to provide a reliable and secure service. Every industry invites partners to work with them, enabling them to work more efficiently within their industry. For example, health organizations bring in additional cyber security experts to help analyze their environments and protect them from malicious actors. The reality is that this has opened the door for malicious actors to start acting through an entirely new method: third-party personnel.”
Securing Digital Supply Chains Continues to Be a Major Focus
This is just the latest in a string of cyber breaches. These incidents just go to show how vulnerable we all are to cyberattacks. No matter how big or small your company is, you are at risk. “Okta has been considered a gold standard in this space for a long time with not just the private sector, but also, a heavy penetration into the federal sector. This is yet another event to highlight that even a company with rigorous security practices can stumble”, said Ashu Bhoot of Orion Networks.
“The silver lining here is that it shows a level of maturity based on their response and thoroughness of their assessment of the impact. While more and more companies going for Single sign-on and MFA, it is important not to just select any vendor. These services are essentially becoming keys to your kingdom. Businesses and organizations need to make sure when you are buying locks (Single sign-on and MFA), you are buying them from a company that is fairly mature and not just something that looks cheap and shiny”, Bhoot continued.
Is The Hacking Community Targeting MFA Providers?
It’s no secret that the hacking community is always looking for new ways to target businesses and individuals. Now, it seems that they may have found a new area of focus: MFA providers.
“No matter how deep the moats or high your walls, the street seems to always find a way to breach your defenses. I’m not saying that you shouldn’t have paramount security and proactive approaches in place, but in addition to this, you need to have in place a disaster recovery plan. If you fail to plan, you are planning to fail”, said Buonaspina.
Said John Beyer, President, and CEO of Realized Solutions, “The hacking community appears to be targeting MFA providers. In the case of Okta, they claim to have gained access to OKTA’s customers, which is unconfirmed at this time. Another recent attack exploited the default settings for enrollment in DUO. In that case, the hackers found an old disabled account and were able to activate their phone for MFA.”
“We are seeing more and more targeted attacks, and these are much harder to protect against than a broad stroking series of attacks. The latest and one of the most severe attacks just occurred with Okta”, said Buonaspina. The attack on Okta is just one example of how the hacking community is finding new ways to target MFA providers. Unfortunately, we’ll likely see more attacks in this area in the future. Businesses and individuals need to be aware of these threats and take steps to protect themselves.
“How this affects our business at LI Tech Advisors, is that we need to continue our efforts to raise awareness of these types of issues, how to take steps to mitigate breaches as well as planning for after a breach occurs. When even very large companies with top-level security fall prey to cyber-attacks, it’s sometimes not a matter of “if you get hacked, but when you get hacked”, and what steps you need to take to minimize the effects of the breach and how fast your recovery plan can get you back to business.”, said Buonaspina