First Microsoft, then Okta: New ransomware gang posts data from both

A relatively new entrant to the ransomware scene has made two startling claims in recent days by posting images that appear to show proprietary data the group says it stole from Microsoft and Okta, a single sign-on provider with 15,000 customers.

The Lapsus$ group, which first appeared three months ago, said Monday evening on its Telegram channel that it gained privileged access to some of Okta’s proprietary data. The claim, if true, could be serious because Okta allows employees to use a single account to log in to multiple services belonging to their employer.

Gaining “Superuser” status

“BEFORE PEOPLE START ASKING: WE DID NOT ACCESS/STEAL ANY DATABASES FROM OKTA,” the Telegram post stated. “Our focus was ONLY on okta customers.”

Okta co-founder and CEO Todd McKinnon said on social media that the data appears to be linked to a hack that occurred two months ago. He explained:

In late January 2022, Okta detected an attempt to compromise the account of a third-party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.

In a post published later, Okta Chief Security Officer David Bradbury said there had been no breach of his company’s service. The January compromise attempt referenced in McKinnon’s tweet was unsuccessful. Okta nonetheless retained a forensics firm to investigate and recently received its findings.

“The report highlighted that there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop,” the Okta post said. “This is consistent with the screenshots that we became aware of yesterday.”

The post continued:

The potential impact to Okta customers is limited to the access that support engineers have. These engineers are unable to create or delete users or download customer databases. Support engineers do have access to limited data—for example, Jira tickets and lists of users—that were seen in the screenshots. Support engineers are also able to facilitate the resetting of passwords and MFA factors for users, but are unable to obtain those passwords.

We are actively continuing our investigation, including identifying and contacting those customers that may have been impacted. There is no impact to Auth0 customers, and there is no impact to HIPAA and FedRAMP customers.

Lapsus$ promptly responded to the Okta post by calling the claims “lies.”

“I’m STILL unsure how it’s [an] unsuccessful attempt?” the post stated. “Logged in to superuser portal with the ability to reset the Password and MFA of ~95% of clients isn’t successful?”

The rebuttal added: “The potential impact to Okta customers is NOT limited, I’m pretty certain resetting passwords and MFA would result in complete compromise of many clients systems.”

Lapsus$’s Monday evening post was accompanied by eight screenshots. One appeared to show someone logged into a “Superuser” dashboard belonging to Cloudflare, a content-delivery network that uses Okta services. Another image showed what appeared to be a password change for a Cloudflare employee.

Cloudflare founder and CEO Matthew Prince responded several hours later that Okta may have been compromised but, in any event, “Okta is merely an identity provider. Thankfully, we have multiple layers of security beyond Okta and would never consider them to be a standalone option.”

In a separate tweet, Prince said Cloudflare was resetting Okta credentials for employees who changed their passwords in the past four months. “We’ve confirmed no compromise,” he added. “Okta is one layer of security. Given they may have an issue, we’re evaluating alternatives for that layer.”