Cloud-based authentication service provider, Okta, is the latest tech company to experience a breach of their systems. Ransomware group Lapsus$ published a message claiming they have breached the company but “didn’t steal/access any Okta database”. The target of the attack, according to the group, wasn’t Okta but its customers.
According to SP Global, the incident involved improper access to client lists of Okta, “portions of which were posted as screenshots on the messaging app Telegram.” The hack by Lapsus$ occurred following access to the lists through a compromised employee account at Sykes Enterprises, a privately-held contractor that provides customer service to Okta users.
In a blog post, Okta chief security officer David Bradbury acknowledged the incident that occurred in January 2022. A forensics report “highlighted that there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop. This is consistent with the screenshots that we became aware of yesterday.”
Jonathan Knudsen, senior software strategist at Synopsys Software Integrity Group warns that organisations must recognise that software risk is a business risk and take appropriate action.
He added that managing software risk means including security at every stage of the software supply chain, everything from a concept through to the people or systems that use an application. “Even with the best possible defences, some attacks will always be successful. Incident response and business continuity plans and execution are just as important as defensive measures,” he continued.
According to Lotem Finkelstein, head of threat intelligence and research at Check Point Software, says it is still too early to know the extent of the damage to Okta customers.
“If you are an Okta customer, we strongly urge you to exercise extreme vigilance and cyber safety practices. The full extent of the cyber gang’s resources should reveal itself in the coming days,” he continued.
In the meantime, Malwarebytes offered a few pointers for Okta customers:
- Keep an extra pair of eyes on your access logs.
- Same for threat hunting and other logs.
- Change the privileged Okta passwords.
- Wait for more information.
- Inform your customers that you are on the case.
In the meantime, one commentary from VentureBeat questions the time it has taken to report on the incident as well as the action it has taken to remediate the situation.