Authentication oufit Okta investigating Lapsus$ breach report

Cloudflare takes no chances, hits the identity reset button


Updated The Lapsus$ extortion crew has turned its attention to identity platform Okta and published screenshots purportedly showing the group gaining access to the company's internals.

The incident follows the group's claim over the weekend that it had made off with chunks of Microsoft's code. However, a compromise at Okta could be altogether more serious since the company's services are used by many others to manage network and application access as well as user identities.

At first glance, it appears that the group gained access to a "superuser" account as well as other internal tools. Okta has yet to confirm this is the case.

Also concerning is the fact that the screenshots appear to come from January 2022, which could mean there has been access for a while. It could also be that some sort of compromise occurred briefly, and the hackers have chosen now to show off their prowess. Okta CEO Todd McKinnon reckoned it was the latter. We're told any intrusion would have been temporary, and limited to a sub-contractor.

Either way, if a breach occurred, the implications are grave. Oliver Pinson-Roxburgh, CEO of security outfit Bulletproof, warned: "As the gatekeeper to the networks and data of thousands of organizations, a breach at Okta would have significant consequences."

"Even before the veracity of such an incident is confirmed," he went on, "it is imperative for businesses to take proactive steps now – any delay risks the potential attack spreading."

Oz Alashe, CEO of CybSafe and chair of the UK government's DCMS Industry Expert Advisory Group on Cyber Resilience, said: "The potential attack on Okta is a striking reminder of the supply chain's cyber risks. Cybercriminals will often identify the route of least resistance. An authentication tool such as Okta provides the opportunity to breach hundreds of large enterprises in one sweep."

However, Alashe cautioned: "While Okta's investigation is ongoing, it's important the security community doesn't jump to conclusions and harass its security team at this challenging time."

That said, some companies were taking no chances. Cloudflare, which uses Okta as an identity provider, announced it would be resetting the Okta credentials of employees. Just in case.

The Register contacted Okta for comment, but the company only repeated the tweeted comments of McKinnon.

While the investigation continues, lets take a moment to review Okta's recent emissions from its social media orifice. We fervently hope that this one won't end up in the "aged badly" bucket. ®

Updated to add on March 23 at 0225 UTC

Rather than it be totally nothing to worry about, Okta now says, after investigating Lapsus$'s claims of an intrusion, "we have concluded that a small percentage of customers – approximately 2.5 percent – have potentially been impacted and whose data may have been viewed or acted upon."

We've covered the new announcement, and news that Microsoft has admitted Lapsus$ accessed its source code, in a new story you can find here.


Other stories you might like

  • Okta says Lapsus$ incident was actually a brilliant zero trust demonstration
    Once former supplier Sitel coughed up its logs, it became apparent the attacker was hemmed in

    Okta has completed its analysis of the March 2022 incident that saw The Lapsus$ extortion crew get a glimpse at some customer information, and concluded that its implementation of zero trust techniques foiled the attack.

    So said Brett Winterford, Asia-Pacific and Japan chief security officer of the identity-management-as-a-service vendor, at the Gartner Risk and Security Summit in Sydney today.

    Winterford explained that the incident started in January when an Okta analyst observed a support engineer at Sitel – Okta's (former) outsourced customer service provider – attempted to reset a password to Okta's systems but did so from outside the expected network range and did not attempt to fulfil a multifactor authentication challenge. That request sent the reset email to a Sitel email address managed under Microsoft 365 and was made with the attacker's own kit. That last item was highly unusual. Okta can see authentication requests made using the VMs Sitel used to provide support services. But Okta cannot see inside Sitel's MS365.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading
  • Elasticsearch server with no password or encryption leaks a million records
    POS and online ordering vendor StoreHub offered free Asian info takeaways

    Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.

    Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.

    StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.

    Continue reading
  • What to do about inherent security flaws in critical infrastructure?
    Industrial systems' security got 99 problems and CVEs are one. Or more

    The latest threat security research into operational technology (OT) and industrial systems identified a bunch of issues — 56 to be exact — that criminals could use to launch cyberattacks against critical infrastructure. 

    But many of them are unfixable, due to insecure protocols and architectural designs. And this highlights a larger security problem with devices that control electric grids and keep clean water flowing through faucets, according to some industrial cybersecurity experts.

    "Industrial control systems have these inherent vulnerabilities," Ron Fabela, CTO of OT cybersecurity firm SynSaber told The Register. "That's just the way they were designed. They don't have patches in the traditional sense like, oh, Windows has a vulnerability, apply this KB."

    Continue reading
  • Carnival Cruises torpedoed by US states, agrees to pay $6m after wave of cyberattacks
    Now those are some phishing boats

    Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks.

    A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.

    It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.

    Continue reading

Biting the hand that feeds IT © 1998–2022