Summary

The recent breach of the industry-standard, cloud-based single sign-on (SSO) authentification service provider Okta is important because:

1. the SSO software is so broadly used by a variety of Fortune 1000 companies and third-party vendors, the breach creates a potentially vast attack surface for companies, large and small.
2. The company response by Okta is a case study on how not to manage a serious breach.
3. The alleged attribution to the Lapsus$ ransomware gang connects the breach as the potential point of access of a long list of high profile recent hacks of major international companies, including Nvidia, Electronic Arts, and Microsoft; and
4. Previously underestimated by both the hacker and research communities due to the parochial nature of some of their hacking techniques,  the Lapsus$ modus operandi (and the success rate and scale of their attacks) are now shedding light on a variety of previously discounted vulnerabilities and potential attack surfaces.

The San Francisco-based Okta, Inc. is self-described on its website as the “identity provider for the internet” with more than 15,000 customers on its platform and more than 100 million registered users. (1)

The recommendation is that organizations review their operational relationship (and that of their vendors) to the Okta ecosystem of SSO platforms and products.  Again, these hacking techniques are not highly technical but, when successful, are of major consequence.  Overall, the Okta breach and the Lapsus$ ransomware hacks further reinforce the importance of multi-factor authentication over the ease of use SS0.  OODA is here to help.  OODA members can contact us by replying to any of our emails or using this form.

Following is a timeline of the Okta Breach and the recent Lapsus$ ransomware hacking rampage, concluding with technical guidance and recommendations gleaned from a handful of ongoing technical investigations underway by Okta, Cloudflare, Microsoft, Nvidia, etc.

Timeline and Attribution:  The Okta Breach

Overall, the timeline of this cyber incident was only revealed by Okta over the course of this week – which has been met by broad criticism for their handling of the communications of the severity and timeline of the breach to their customers.  The timeline:

Monday, January 21, 2022:  The first of many tweets (below) start appearing on March 21st of this week – containing the screenshots provided by the Lapsus$ ransomware gang which reveals the Okta breach.  Timestamps on the screenshots reveal that the breach began as early as January 21st of this year.

Oh man, if this it what it looks (Okta got popped)… Blue Team everywhere is gonna be crazy busy. pic.twitter.com/PY4dIzfwvM

— MG (@_MG_) March 22, 2022

 

Yep. LAPSUS is claiming to have been in Okta for 2 months.

How many customer networks do you suppose they have been in as a result? What percent haven’t detected anything so far? https://t.co/cUPCySZ1rf pic.twitter.com/aIV5IaL5OQ

— MG (@_MG_) March 22, 2022

Screenshots (below):  The Okta internal screenshots provided by the Lapsus$ ransomware gang to validate their access to the Okta platform

LAPSUS$ extortion group claims to have breached @Okta. They have released 8 photos as proof.

The photos we are sharing has been edited so no sensitive information or user identities are displayed.

Image 1 – 4 attached below. pic.twitter.com/nR8V56dLu2

— vx-underground (@vxunderground) March 22, 2022

January 22:  According to a tweet from Okta CEO Todd McKinnon only released on Tuesday, 3/22 of this week:

We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January. (2 of 2)

— Todd McKinnon (@toddmckinnon) March 22, 2022

 

March 22rd-23rd:  According to Reuters “Chief Security Officer David Bradbury said in a March 23rd blog post that a customer support engineer working for a third-party contractor had his computer accessed by the hackers for a five-day period in mid-January and that ‘the potential impact to Okta customers is limited to the access that support engineers have.’ In the blog post, Bradbury went on to say:  ‘Over the past 24 hours, we have analyzed more than 125,000 log entries to ascertain what actions were performed by Sitel during the relevant period. We have determined that the maximum potential impact is 366 (approximately 2.5% of) customers whose Okta tenant was accessed by Sitel (a third-party sub-processor to Okta).'” (2a)

Bradbury initially provided the initial updated Okta statement on LAPSUS$ on March 22.  The Okta breach is a cautionary tale RE: crisis management and communications strategy.  As Bradbury points out in his initial announcement of the breach (over two months after the initial incident report internally):  “I am greatly disappointed by the long period of time that transpired between our notification to Sitel and the issuance of the complete investigation report. Upon reflection, once we received the Sitel summary report we should have moved more swiftly to understand its implications.”

March 24th:  According to the BBC, “A 16-year-old from Oxford has been accused of being one of the leaders of the cyber-crime gang Lapsus$.  The teenager, who is alleged to have amassed a $14m (£10.6m) fortune from hacking, has been named by rival hackers and researchers.  The City of London Police says they have arrested seven teenagers in relation to the gang but will not say if he is one.  The boy’s father told the BBC his family was concerned and was trying to keep him away from his computers.”

“Under his online moniker ‘White’ or ‘Breachbase’ the teenager, who has autism, is said to be behind the prolific Lapsus$ hacker crew, which is believed to be based in South America.  Lapsus$ is relatively new but has become one of the most talked-about and feared hacker cyber-crime gangs, after successfully breaching major firms like Microsoft and then bragging about it online.   The teenager, who can’t be named for legal reasons, attends a special education school in Oxford.  The City of London Police said: ‘Seven people between the ages of 16 and 21 have been arrested in connection with an investigation into a hacking group. They have all been released under investigation. Our inquiries remain ongoing.'” (2b)

Timeline and Attribution:  Lapsus$ Ransomware Incidents

Currently, law enforcement, tech companies, and security researchers are assuming that the Okta breach provided the ease of access to a series of major hacks of major companies in the last year by the Lapsus$ ransomware gang.  According to the MSSP Alert, a resource provided by the CyberRisk alliance, the hacked companies include:

• Nvidia: A cyberattack targeting Nvidia allegedly involved the Lapsus$ ransomware gang. Attackers have since leaked some Nvidia company information online, but the cyberattack did not impact the company’s operations and there’s no evidence that ransomware was deployed on Nvidia’s network, the chipmaker has stated. Source: MSSP Alert, March 1, 2022.
• Samsung: The mobile device giant confirmed a rumored data breach in which hackers stole some Galaxy device source code. Still, Samsung stopped short of blaming the alleged culprit — Lapsus$ — for the breach. Source: MSSP Alert, March 7, 2022.
• Microsoft Azure: Lapsus$ claims to have leaked the source code for Bing, Cortana, and other projects stolen from Microsoft’s internal Azure DevOps server. Microsoft later confirmed a hack by Lapsus$. Sources: BleepingComputer and Microsoft, March 22, 2022. (3)

As one cybersecurity expert, who has grappled with a recent LAPSUS$ hack, said:  “[Lapsus$] forces us to shift thinking about insider access. Nation-states want longer, strategic access; ransomware groups want lateral movement. LAPSUS$ asks: What can this account get me in the next 6 hours? We haven’t optimized to defend that.”

Technical Guidance and Recommendations

OODA Network members frequently convene in the Wickr Room which is a feature of OODA Loop membership.  Many OODA Network members are cybersecurity subject matter experts.

Some anonymous advice from a recent chat OODA Loop Wickr room chat regarding the Okta breach:

• If someone has the private keys to Okta that is pretty serious.  A cybersecurity expert fleshed out this vulnerability in an interview with Dark Reading:  “Ronen Slavin, CTO and co-founder at Cycode, says the significance of the Okta incident hinges on whether Lapsus$ was able to access customer data, ‘Because Okta manages each customer’s keys to the kingdom, exploiting Okta’s Workforce Identity Solutions potentially enables an attacker to provision themselves administrator-level access into Okta’s customers’ applications.'” (4)
• My suggestion on Okta is to change what you can (i.e. keys, password, etc.) and increase monitoring, especially Okta vector attacks.
• Watch out if you no longer use Okta or if there are demo or test accounts:  These need to be handled in case of shared, weak credentials, a common problem for dropped conversion projects.

Due to the fact that Cloudflare’s Okta account was prominently featured in one of the screenshots dropped by the Lapsus$ gang, Cloudflare was one of the first companies to perform a thorough investigation.  Cloudflare provides the following information in their Tuesday, March 22nd blog post:

• Investigation and actions
• Timeline (times in UTC)
• How Cloudflare uses Okta

Cloudflare is a cybersecurity company with roughly 3,000 employees – so its scale and subject matter expertise is the ideal case study for companies, large and small, on which to base your organization’s internal investigation, if needed, into the impact of the Okta breach.

The final section in Cloudflare’s investigation post is entitled “What to do if you are an Okta customer” – and we could not agree more with the following mitigation efforts:

1. Enable multi-factor authentication (MFA) for all user accounts. Passwords alone do not offer the necessary level of protection against attacks. We strongly recommend the usage of hard keys, as other methods of MFA can be vulnerable to phishing attacks.
2. Investigate and respond:
   a. Check all password and MFA changes for your Okta instances.
   b. Pay special attention to support initiated events.
   c. Make sure all password resets are valid or just assume they are all under suspicion and force a new password reset.
   d. If you find any suspicious MFA-related events, make sure only valid MFA keys are present in the user’s account configuration.
3. Make sure you have other security layers to provide extra security in case one of them fails.

Microsoft has also performed an exhaustive investigation of the Lapsus$ access to Microsoft Azure and Bing and Cortana source code.

Further Resources

For a direct link to the Cloudflare investigation, see Cloudflare’s investigation of the January 2022 Okta compromise.

For a direct link to the Microsoft investigation, see DEV-0537 criminal actor targeting organizations for data exfiltration and destruction – Microsoft Security Blog.

For Microsoft’s recommended mitigation strategies, see Detecting, hunting, and responding to DEV-0537 activities – Microsoft Security Blog.

For OODA Loop Daily Pulse coverage of Lapsus$ activities and hacks, go here.

For OODA Loop Daily Pulse coverage of the Okta breach, go here.

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Explore OODA Research and Analysis

Use OODA Loop to improve your decision making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation state conflict, non-nation state conflict, global health, international crime, supply chain and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member only video library. Explore The OODA Community