A ransomware group's claims this week that it had stolen source code from Microsoft and had — at least at one point — gained control of a superuser account at identity authentication provider Okta has stirred widespread concern within the security industry.
Some have described the incident at Okta — which the company’s CEO, Todd McKinnon, confirmed via Twitter on Tuesday — as especially worrisome given how some of the world's largest organizations use its technology for authenticating access to their systems and data. One researcher who analyzed screenshots that the ransomware group posted Monday said they indicated the attackers had used a third-party customer support engineer's system to gain access to an Okta back-end administrative panel for managing customers — among other things.
But Okta's CSO David Bradbury in an updated statement on Tuesday described the incident as relatively minor and said that Okta customers needed to take no corrective actions because of the incident. He said a service provider that Okta hired to investigate the incident found the attackers had access to a support engineer's laptop for a five-day window of time between Jan. 16 and 21, 2022. But the access would not have allowed the attackers to take actions like creating or deleting users or downloading customer databases. Support engineers can facilitate the resetting of passwords — including multifactor authentication — but they do not have access to those passwords, Bradbury said.
Of particular concern is that Okta apparently was aware of the incident in late January but did not disclose it until this week — potentially heightening data breach risks for its customers. Already, the CEO of one of its customers, Cloudflare, has hinted it is evaluating alternatives to Okta following news of the incident. Several others responding to McKinnon's tweet questioned the delayed notification and the lack of details on the incident from the company so far. "This is a pretty opaque response at a time when a lot of people are nervous and needing as much information as possible to reassure them," one Twitter user noted.
Lapsus$, a ransomware gang that seemingly surfaced out of nowhere a few months ago, on Monday posted numerous screenshots on its Telegram channel that purported to show documents it had obtained from its access to systems at Microsoft and Okta. Eight screenshots claimed to show images captured from Okta's internal systems, according to researchers who analyzed the images.
The other images showed the attackers had managed to access at least some source code related to Microsoft's Bing search engine, Bing Maps, and its Cortana virtual assistant. Some reports have suggested the attackers had stolen some 37GB of Microsoft source code, but that could not be confirmed. In response to a Dark Reading query about the reported intrusion and data theft, a Microsoft spokeswoman merely noted the company was aware of the claims and is currently investigating them.
Independent security researcher Bill Demirkapi, who has scrutinized the Okta images, said the posts indicate that the attackers breached the machine of a third-party support staff member working for Sykes Enterprises, Inc. "The individual compromised seems to work for Okta's customer support team, specifically as a Tier 2 support," Demirkapi says.
Using the access this support staff member had, Lapsus$ was able gain access to Okta chat messages in Slack, customer support tickets in Jira, and a back-end administrative tool named "superuser" for assisting customers. In messages that Lapsus$ posted on its Telegram channel, the ransomware group made it clear that it was not targeting Okta's database, but rather its customers, Demirkapi says.
"At this time, it is not clear what data was stolen from Okta customers," he notes. The "superuser" tool appears to grant the support staff member access to manage Okta customers, but the extent of the access is unknown. One of the screenshots suggest the attackers gained access to Okta customer Cloudflare's environment and had the ability to reset employee passwords, he says.
"If you are a customer of Okta and want more information, I would recommend reviewing [Okta] security logs for the past 90 days for suspicious activity and reaching out to Okta directly for more details," Demirkapi says.
Okta CEO McKinnon said the screenshots that Lapsus$ posted online appeared tied to a late January 2022 incident where attackers gained access to the account of a third-party customer support engineer working for one of Okta's subprocessors. The matter was investigated and contained, McKinnon claimed. "Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January," he said.
However, Okta customer Cloudflare's CEO, Matthew Prince, said the company is resetting Okta credentials for any employee who changed their password in the last four months out of an "abundance of caution."
"We’ve confirmed no compromise," Prince said. "Okta is one layer of security. Given they may have an issue we’re evaluating alternatives for that layer."
Big Questions Remain
Ronen Slavin, CTO and co-founder at Cycode, says the significance of the Okta incident hinges on whether Lapsus$ was able to access customer data. "Because Okta manages each customer's keys to the kingdom, exploiting Okta's Workforce Identity Solutions potentially enables an attacker to provision themselves administrator-level access into Okta's customers' applications," he says.
A significant secondary concern is whether the ransomware group accessed Okta's software development environment, Slavin says. "We do see in the screenshots access to Jira tickets, and Jira can contain some awfully sensitive information that could easily facilitate lateral movement," he says. The biggest issue is if Okta's Jira environment contained authentication related secrets that would have enabled Lapsus$ to do more damage. "If Lapsus$ was able to tamper with Okta's code, the potential to exploit customers increases significantly," he says.
In the past two months, Lapsus$ has posted data that it claims to have accessed from multiple other companies including Nvidia, Samsung, Ubisoft, and Vodafone. It's not clear at all if any of these incidents were facilitated by the access the threat group had to Okta's environment — or even if these organizations are customers of Okta in the first place. The threat group's tactics for gaining access to target networks has included stealing credentials and offering to pay employees for providing them with access to their organization's networks.
Given the fact that the screenshots Lapsus$ has posted date back to Jan. 21, the group has had the time to act on any information it was able to find, Slavin says. However, Okta has a strong record of transparency with security incidents going back to Heartbleed, he adds. "Okta has earned the credibility for us to believe they are being transparent based on what they currently know," Slavin says.
Meanwhile, the Microsoft-related data that Lapsus$ posted online suggest the attacker was able to gain access to Microsoft's internal Azure DevOps environment for managing source code, Demirkapi says. "Shockingly, when they bragged about this access, Lapsus$ was in the middle of exfiltrating source code from Microsoft's servers," Demirkapi says. "This was verified by comparing the timestamp of their message and the time stamp of the source code they ended up leaking."
The source code that the ransomware group release was only for Bing, Bing Maps, and Cortana. "Even then, this source code was only a partial dump likely because Microsoft cut off their access shortly after their message," Demirkapi says. "There is no evidence Lapsus$ had access to customer data."