Okta says there is “no evidence” of malicious activity resulting from an alleged cybersecurity breach by hacking gang Lapsus$, despite claims from the group today that the single sign-on provider has become its latest victim. However, Lapsus$ says it has enough information to target Okta’s customers, sparking fears that damaging supply chain attacks could follow.
According to multiple reports, Lapsus$ posted screenshots to its Telegram channel purporting to show it gaining access to superuser and admin accounts for Okta’s systems. “For a service that powers authentication systems to many of the largest corporations, I think these security measures are pretty poor,” the message reads.
This morning, Okta CEO Todd McKinnon indicated that the screenshots relate to a previously undisclosed breach from January. “Okta detected an attempt to compromise the account of a third-party customer support engineer working for one of our subprocessors,” he wrote on Twitter. “The matter was investigated and contained by the subprocessor.”
In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. (1 of 2)
— Todd McKinnon (@toddmckinnon) March 22, 2022
“We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.”
However, another apparent message from Lapsus$’s Telegram channel, shared on Twitter by a security professional from Zoom, appears to reveal the group’s intention to use data from the previous Okta breach to target the company’s customers.
The LAPSUS$ ransomware group has claimed to breach Okta sharing the following images from internal systems. pic.twitter.com/eTtpgRzer7
— Bill Demirkapi (@BillDemirkapi) March 22, 2022
Why is Lapsus$ targeting Okta?
Okta’s cloud-based software helps businesses build secure authentication and identity control systems for apps and connected devices. The company reported revenue of $1.3bn last year, and has grown its user base rapidly in recent years, helped by the $6.5bn acquisition of another identity specialist, Auth0, last year. According to its financial results for Q1 2022, it works with 10,650 customer businesses worldwide.
Lapsus$ has become one of the most talked-about hacking groups of 2022 after a string of attacks on high-profile targets. Last month it claimed to have breached Nvidia, Samsung and Vodafone, before launching an attack on games publisher Ubisoft. Yesterday, Tech Monitor reported that Microsoft had become the group's latest victim after screenshots of code purporting to be from the company's Azure cloud platform were posted online. Microsoft is investigating the incident.
The group's motives for its current hacking spree, beyond data extortion, are unclear, as there have been no public ransom demands directed at any of the victims.
Could the breach at Okta by Lapsus$ spark a supply chain attack?
If Lapsus$ has gained access to Okta customer data, the businesses involved could become targets for a supply chain breach. This type of cyberattack sees hackers gain entry to one company's systems, then exploit this vulnerability to gather information on businesses they work with and launch secondary attacks on these targets.
“The potential attack on Okta is a striking reminder of the supply chain's cyber risks," says Oz Alashe, CEO of security training company CybSafe and chair of the UK government’s Industry Expert Advisory Group on cyber resilience. "An authentication tool such as Okta provides the opportunity to breach hundreds of large enterprises in one sweep."
Perhaps the most famous supply chain attack also involved a secure identity specialist, when security vendor RSA saw its SecurID product compromised in 2011, a breach that impacted thousands of big businesses and US government departments.
The attacks have become increasingly common over the past two years, with the most damaging being the SolarWinds breach in late 2020, which hit hundreds of large organisations across the public and private sectors, while more recently the Log4J vulnerability, a weakness in widely used open-source logging code from the Apache Foundation, became an attack vector through which to launch supply chain attacks on companies using the tool. Earlier this week, marketing platform Hubspot revealed its systems had been compromised, leading to supply chain attacks on a number of its customers in the cryptocurrency space.
Overall, supply chain attacks account for 40% of all cybersecurity threats, according to the latest cybersecurity industry report from security vendor Bulletproof. Specifically, supply chain attacks on open-source software like Log4J have become particularly prevalent, seeing a 650% increase in 2021.
Though there is no suggestion Okta's systems were breached through an open-source vulnerability, the company did launch its first open-source product, a design system that helps clients build customised user interfaces, last year.
Should Okta users take precautions against a supply chain attack?
Okta customers worried about the potential for a supply chain attack should put an action plan in place, starting by identifying critical applications managed by Okta, said Matthieu Garin, a partner at IT consultancy Wavestone who specialises in cybersecurity.
Writing on LinkedIn, Garin said businesses should consider resetting passwords and multi-factor authentication (MFA) credentials of employees, particularly those that have changed since January, when the initial problem occurred, but adds that it would be prudent to wait for further information before undertaking any general resetting of credentials for staff or customers.