‘This Is Really, Really Bad’: Lapsus$ Gang Claims Okta Hack

Credit to Author: Lily Hay Newman| Date: Tue, 22 Mar 2022 15:27:50 +0000

To revist this article, visit My Profile, then View saved stories.

To revist this article, visit My Profile, then View saved stories.

On Monday evening, the Lapsus$ digital extortion gang published a series of increasingly shocking posts in its Telegram channel. First, the group dumped what it claims is extensive source code from Microsoft's Bing search engine, Bing Maps, and Cortana virtual assistant software. A potential breach of an organization as big and security-conscious as Microsoft would be significant in itself, but the group followed the post with something even more alarming: screenshots apparently taken on January 21 that seem to show Lapsus$ in control of an Okta administrative or “super user” account. 

Okta is a near-ubiquitous identity management platform used by thousands of large organizations that want to make it easy—and, crucially, secure—for their employees or partners to log in to multiple services without juggling a dozen passwords. Past breaches, like 2020's notorious Twitter meltdown, have stemmed from attackers taking over access to an administrative or support account that has the ability to modify customers' accounts. Attackers use these system privileges to reset target account passwords, change the email address linked to victim accounts, and generally take control. When they're attacking Twitter accounts, hackers can lock legitimate users out and tweet from their profiles. When you have this type of access for an identity platform like Okta, though, the potential impacts are exponentially more extreme.

Lapsus$ has been on a tear since it emerged in December, stealing source code and other valuable data from increasingly prominent companies, including Nvidia, Samsung, and Ubisoft, and leaking it in apparent extortion attempts. But researchers had only found broadly that the attackers seemed to be using phishing to compromise their victims. It wasn't clear how a previously unknown and seemingly amateur group had pulled off such monumental data heists. Now it seems possible that some of those high-profile breaches stemmed from the group's Okta compromise.

“In late January 2022, Okta detected an attempt to compromise the account of a third-party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor,” Okta CEO Todd McKinnon said in a statement. “We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.”

Okta did not answer further questions from WIRED, including repeated queries about why the company didn't publicly disclose the incident before.

A Microsoft spokesperson said early Tuesday morning that the company is “aware of the claims and investigating.”

Without more information, it is unclear exactly how much access Lapsus$ had within Okta or its unnamed “subprocessor.” Dan Tentler, a founder of the attack simulation and remediation firm Phobos Group, says the screenshots suggest Lapsus$ compromised the access of an Okta site reliability engineer, a role that would potentially have extensive system privileges as part of infrastructure maintenance and improvement work.

“All I have to go on are these screenshots, but there is a nonzero possibility of this being a SolarWinds 2.0,” Tentler says, referencing last year's massive supply chain attack launched by Russian intelligence hackers that compromised a slew of high-profile companies and government agencies around the world by first infiltrating the IT management platform SolarWinds. “It is indeed quite a big deal.”

Independent security researcher Bill Demirkapi puts it even more bluntly: “This is really, really bad.” 

Okta is presumably aware of the grave danger to its business and customers if an attacker ever compromised a highly privileged administrative account. (The company stock price fell by around 6 percent on Tuesday morning following news of the claimed breach.) Okta did not return WIRED's requests for comment about its defenses and monitoring tools for such access. But Demirkapi points out that no matter how many layers of protection you add, the mere existence of “super user” accounts creates exposure. An attacker who has strategically taken over a device when such an account is already logged in, or who has compromised, say, a VPN connection to that device can impersonate the legitimate user of the admin account.

“The idea is that the access controls to get to that Administrative panel would be very restrictive” for a service like Okta, Demirkapi says. “The problem here is that it appears like Lapsus$ directly compromised an employee's machine, so even with those access controls they can just piggyback on the employees' access.”

On Tuesday, companies implicated even incidentally in the situation began distancing themselves from Okta. The internet infrastructure company Cloudflare, for example, investigated overnight and said it had confirmed it was not compromised as a result of the incident. “Thankfully, we have multiple layers of security beyond Okta and would never consider them to be a standalone option,” Cloudflare CEO Matthew Prince wrote on Twitter. He later added, “Okta is one layer of security. Given they may have an issue we’re evaluating alternatives for that layer.”

Questions remain about Lapsus$ itself and the group's motivations. Researchers have consistently found that it is a loose, even disorganized collective that is likely based in South America and still getting its bearings. But the scale and scope of the organizations Lapsus$ has been able to compromise so far raise a chilling range of possibilities. Either the group is a more sophisticated organization than incident responders have realized or admitted, or the security of some of the world's most critical companies is even more fragile and inadequate than previously thought. 

The Twitter hackers turned out to be a 17-year-old Minecraft scammer and other vanity handle brokers. The Lapsus$ gang really could be out to burn it all down for the lulz.

https://www.wired.com/category/security/feed/