Okta, an Identity and Access Management provider, has disclosed a breach potentially affecting 2.5% of its customer base, and have claimed that customers who may have been impacted have been contacted directly via email. This interim update seems to have only been made public due to the fact that the attackers shared screenshots online of the systems they were able to access.
The breach occurred due to the Lapsus$ hacking group allegedly gaining access to a third-party support engineers' laptop, who was working for Sykes. Sykes provide customer support service solutions for large tech companies, and as such have privileged access to its customers’ network.
Okta have stated that the potential impact to their customers is limited, as the breach took place over a 5 day window from 16 - 21st January 2022, and the access was limited to that of a support engineer, meaning the attackers would only have the ability to remove MFA and reset passwords, not actually retrieve the passwords or know what they'd been reset to.
Lapsus$ communicates via Telegram and they argued in response to Okta's disclosure that 'resetting passwords and MFA would result in complete compromise of many clients systems'. Lapsus$ also urged Okta to publish the forensic report, as they were sure it would be very different to the report disclosed by Okta.
Lapsus$ also picked at Okta, citing their Security Breach Management Policy, asking why they had waited this long to disclose the breach. This has been echoed by many companies and figures in the cyber security sphere, but as legislation currently stands, there is no legal obligation for Okta to disclose their knowledge of the breach to the public.
The attackers also claimed that the support engineer had 'excessive access to slack', citing 8.6k channels that were accessible, and disclosing that some contained AWS keys.
There is an increasing trend in attackers targeting supply chains, and this breach once again shines a light on the efficacy of supply chain attacks. Why would an attacker waste time and energy targeting a specific company or service when they can infiltrate the supply chain and infiltrate multiple targets collaterally? Lapsus$ has been known to appeal to insiders, offering incentives in exchange for access to networks owned by, for example, large gaming companies or telecoms providers, leading to many speculating that the initial access into Okta was provided by an insider, but this is currently just speculation.
It is much easier to chop down a large tree than it is to climb the tree to pluck the fruits on high branches, and targeting supply chains is the digital equivalent of this. It doesn't matter how secure your organisation is, if there is a third party with inside access to your network, they or their account can be leveraged to have devastating consequences to your business.
Due to Okta's security policy, ensuring user account roles are assigned on least privilege principles, the damage from the attack was mitigated in that the attackers were only able to reset passwords and MFA settings, and access limited data only.
Okta have reported in the interim that the attackers would have also been unable to create or delete users or download customer databases. Had this access control policy not been enforced, this incident could have been an unmitigated disaster for the company.
To learn more about supply chain attacks and how to prevent them, make sure to read our latest blog: Cyber security trends in 2022 - Supply chain attacks are rapidly increasing.
If you have any questions about this news post, please contact Joseph Clarke.