[BreachExchange] Okta says attacker accessed engineer’s laptop for five days

Wed Mar 23 10:25:25 EDT 2022

https://venturebeat.com/2022/03/22/okta-says-attacker-accessed-engineers-laptop-for-five-days/

Okta chief security officer David Bradbury said in a post Tuesday that “the
Okta service has not been breached and remains fully operational.”

“There are no corrective actions that need to be taken by our customers,”
Bradbury said.

However, an attacker did access the account of a customer support engineer,
who worked for a third-party provider, for five days in January, according
to Bradbury. The third-party provider was not identified.

“There was a five-day window of time between January 16-21, 2022, where an
attacker had access to a support engineer’s laptop. This is consistent with
the screenshots that we became aware of yesterday,” Bradbury said.

Bradbury referred to screenshots posted on Telegram by hacker group
Lapsus$, showing what the group said was “access to Okta.com
Superuser/Admin and various other systems.”

The potential breach of a customer of the major identity and access
management vendor raised questions about the extent and severity of the
potential breach.

Security researcher Runa Sandvik said on Twitter that some may be “confused
about Okta saying the ‘service has not been breached.'”

“The statement is purely a legal word soup,” Sandvik said. “Fact is that a
third-party was breached; that breach affected Okta; failure to disclose it
affected Okta’s customers.”

VentureBeat has reached out to Okta for comment.

‘Limited’ impact
In the post Tuesday, Bradbury said that the “potential impact to Okta
customers is limited to the access that support engineers have.”

These engineers “are unable to create or delete users, or download customer
databases. Support engineers do have access to limited data – for example,
Jira tickets and lists of users – that were seen in the screenshots,” he
said. “Support engineers are also able to facilitate the resetting of
passwords and MFA factors for users, but are unable to obtain those
passwords.”

Okta is “actively continuing our investigation, including identifying and
contacting those customers that may have been impacted,” Bradbury said.

>From the post:

In January 2022, Okta detected an unsuccessful attempt to compromise the
account of a customer support engineer working for a third-party provider.
As part of our regular procedures, we alerted the provider to the
situation, while simultaneously terminating the user’s active Okta sessions
and suspending the individual’s account. Following those actions, we shared
pertinent information (including suspicious IP addresses) to supplement
their investigation, which was supported by a third-party forensics firm.

Following the completion of the service provider’s investigation, we
received a report from the forensics firm this week. The report highlighted
that there was a five-day window of time between January 16-21, 2022, where
an attacker had access to a support engineer’s laptop.

Okta’s stock price was down $5.49, or about 3.2%, as of mid-afternoon ET on
Tuesday. An analyst at Truist, Joel Fishbein, reportedly called the claimed
breach “concerning” amid cutting his rating on Okta.

Lapsus$ specified that it did not access Okta itself. “Our focus was ONLY
on okta customers,” the group said in its Telegram post.

Lapsus$ is believed to operate in South America. Over the past month,
vendors including Nvidia and Samsung Electronics confirmed the theft of
data by the threat actor. On March 1, for instance, Nvidia said that “we
are aware that the threat actor took employee credentials and some Nvidia
proprietary information from our systems and has begun leaking it online.”

Stolen Nvidia data reportedly included designs of graphics cards and source
code for DLSS, an AI rendering system. Meanwhile, on Monday, Lapsus$
claimed to have posted Microsoft source code for Bing, Bing Maps and
Cortana. Microsoft said it is aware of the claims and is investigating them.

Experts have said that Lapsus$’ motives remain unclear, given the lack of
financial demands in the past.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220323/982a18c2/attachment.html>