Authentication service OKTA hacked by Lapsus$?

Sicherheit (Pexels, allgemeine Nutzung)[German]Extremely unpleasant story if the whole thing turns out to be true. According to a report, the provider OKTA is investigating a possible hack. Okta is a provider of authentication services in the cloud, so a successful hack could have far-reaching consequences. According to reports, the Lapsus$ gang is claiming the hack.


Advertising

It's the Lapsus$ cyber group again, claiming a successful hack on authentication service OKTA. I became aware of the facts of the matter, which the Reuters news agency is addressing here, via the following tweet.

OKTA hacked by Lapsus$

On Monday, screenshots suggesting a hack of Okta appeared in the Telegram channel of the Lapsus$ cybergang. Bill Demirkapi published some of these screenshots on Twitter in the following tweet.

OKTA hacked by Lapsus$

According to Demirkapi, what can be seen in the screenshots is very disturbing. In the images here, Lapsus$ appears to have had access to the
Cloudflare tenant. This also goes hand in hand with the ability to reset staff passwords. A date in a screenshot indicates that Lapsus$ had access to a VM from Okta as far back as 21 January 2022. The cloud authentication provider either didn't notice the incident for two months or kept it secret for that long.   


Advertising

Lapsus$ appears to have gained access to some corporate VPNs. Demirkapi concludes that from a Cisco AnyConnect icon and a GlobalProtect window in a screenshot. Other screenshots show access to the "superuser", which may be Okta's administrative access panel. Another access includes the Jira and Slack products used by Okta.

A hack at Okta could have serious consequences, writes Reuters. That's because thousands of other companies rely on the San Francisco-based company to manage access to their own networks and applications. Chris Hollis, an Okta employee, states that the incident could be related to an earlier incident in January 2022 that was noticed and reportedly contained. According to Hollis, Okta detected an attempt to compromise the account of a third customer support technician at that time. To this, Hollis says:

We believe the screenshots that were shared online are related to this event in January. Based on our investigation to date, there is no evidence of further malicious activity beyond what was discovered in January.

Security experts believe the screenshots posted on Telegram are authentic. Dan Tentler, founder of cybersecurity consultancy Phobos Group, told Reuters he too believed the security breach was genuine and urged Okta customers to "be very vigilant now". Colleagues at Bleeping Computer have posted some information and statements Security experts believe the screenshots posted on Telegram are authentic. Dan Tentler, founder of cybersecurity consultancy Phobos Group, told Reuters he too believed the security breach was genuine and urged Okta customers to "be very vigilant now". Colleagues at Bleeping Computer have posted some information and statements here and the folks at CSO-Online have also posted here.

According to Demirkapi, the Lapsus$ cybergang had corrected their Telegram messages to clarify that they had not penetrated Okta's databases, but had targeted Okta customers. Is now not reassuring news for Okta customers either. Demirkapi's tweets are quite interesting, discussing many details.

Similar articles:
Ubisoft hacked by Lapsus$ cyber gang (March 2022)
Cyber attacks on Nvidia and McDonalds (Feb. 25, 2022)
Samsung bestätigt Hack, Quellcodes durch Lapsus$ geleakt
Lapsus$ allegedly publishes source code of Microsoft Azure, Bing and Cortana


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in Cloud, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *