When a headline reads “This Is Really, Really Bad,” you know there’s a problem. The world is becoming accustomed to database breaches, however, cybersecurity journalist Lily Hay Newman (@lilyhnewman) reports the latest breach by the Lapsus$ digital extortion gang is worst than most.[1] According to Newman, the breach, which was disclosed by the gang on 21 March, involved “a series of increasingly shocking posts in its Telegram channel.” The initial breach involved a company called Okta, which Newman describes as “a near-ubiquitous identity management platform used by thousands of large organizations that want to make it easy — and, crucially, secure — for their employees or partners to log in to multiple services without juggling a dozen passwords.” Tech journalists Dan Strumpf (@DanStrumpf) and Ben Otto (@benottoWSJ) report, “More than 15,000 customers world-wide — including multinational companies, universities and governments — rely on Okta’s software to securely manage access to their systems and verify users’ identities.”[2]

The gang claimed it was able to take control of an Okta administrative or “super user” account that gave it access to “extensive source code from Microsoft’s Bing search engine, Bing Maps, and Cortana virtual assistant software.” Journalist Steven Musil (@stevenmusil) reports that Microsoft confirmed that “the Lapsus$ hacking group gained ‘limited access, to a single account.”[3] Microsoft also insisted “that its security teams interrupted the effort.” Nevertheless, Newman notes, “A potential breach of an organization as big and security-conscious as Microsoft [is] significant.”

Fallout from the Okta Attack

Although the Lapsus$ gang released their posts on 21 March, Strumpf and Otta report that Okta insists “the screenshots most likely related to an earlier security incident in January, which has already been resolved.” According to Strumpf and Otto, “The [Lapsus$] group said that it didn’t access or steal any data from Okta itself and that its focus was on the software company’s customers.” Access to a “super user” account can have significant repercussions. Newman reports, “Past breaches, like 2020’s notorious Twitter meltdown, have stemmed from attackers taking over access to an administrative or support account that has the ability to modify customers’ accounts. Attackers use these system privileges to reset target account passwords, change the email address linked to victim accounts, and generally take control.” Journalist John Leonard (@_JohnLeonard) reports that Okta tried to play down the severity of the January breach.[4] He reports:

“In January, the company logged an attempt to compromise the account of a customer support engineer working for third-party provider, Sitel. A subsequent analysis of the incident by a forensics firm found that there had been a period of five days, January 16 – 21, in which the attackers had access to the engineer’s laptop. Okta says its core systems were not breached during the attack and the access was confined to the laptop, refuting Lapsus$’s claims that it gained superuser access to the firm’s website and other systems. The screenshots were consistent with the breach of the engineer’s laptop in January, the company said, and there are no indications that it went further.”

David Bradbury, Chief Security Officer at Okta, reports, “After a thorough analysis of these claims, we have concluded that a small percentage of customers — approximately 2.5% — have potentially been impacted and whose data may have been viewed or acted upon.”[5] Bradbury also insisted there were no corrective actions that needed to be taken by Okta customers.

Strumpf and Otto also report that Okta insisted, “There is no evidence of ongoing malicious activity beyond the activity detected in January.” According to the journalists, at least one affected customer — Cloudflare — is unhappy with Okta’s security measures. Cloudflare CEO Matthew Prince (@eastdakota) told the journalists that his company had yet to receive “a satisfactory answer to concerns over a previous Okta vulnerability incident discovered in December [2021]. In January, Okta said it was still investigating that vulnerability, known as ‘Log4Shell,’ which concerned a Java-based logging utility found in a number of software products.”

The Lapsus$ gang has claimed a number of high-profile attacks including attacks on Nvidia and Samsung. According to Strumpf and Otto, the gang insists “we are not in politics AT ALL.” Nevertheless, the group seems to relish public attention. Journalist Jurgita Lapienytė (@lapienyte) reports, “Microsoft has been tracking what it called a large-scale social engineering and extortion campaign. It attributed the activity to Lapsus$ (DEV-0537). ‘Unlike most activity groups that stay under the radar, DEV-0537 doesn’t seem to cover its tracks,’ Microsoft noted. Indeed, not only do they advertise and tease their followers about the upcoming leaks, but they are also very public about their intent to buy credentials from employees of target organizations. This week it even opened its Telegram chat to everyone who wanted to discuss the Okta leak.”[6]

Concluding Thoughts

Newman reports, “Researchers have consistently found that [Lapsus$] is a loose, even disorganized collective that is likely based in South America and still getting its bearings. But the scale and scope of the organizations Lapsus$ has been able to compromise so far raise a chilling range of possibilities. Either the group is a more sophisticated organization than incident responders have realized or admitted, or the security of some of the world’s most critical companies is even more fragile and inadequate than previously thought.” Wikipedia notes that the term “lapsus” in philology, refers to “an involuntary mistake made while writing or speaking.” It comes from the same root word as lapse. If companies fail to be vigilant, a careless lapse in cybersecurity could result in a significant breach and a loss of trust.

Footnotes
[1] Lily Hay Newman, “‘This Is Really, Really Bad’: Lapsus$ Gang Claims Okta Hack,” Wired, 22 March 2022.
[2] Dan Strumpf and Ben Otto, “Okta Investigates Report of Security Breach, Says It Finds No Evidence of New Attack,” The Wall Street Journal, 22 March 2022.
[3] Steven Musil, “Microsoft Says Lapsus$ Hackers Gained ‘Limited Access’ to a Single Account,” c|net, 22 March 2022.
[4] John Leonard, “Okta updates advice to customers after confirming Lapsus$ breach,” Computing, 23 March 2022.
[5] David Bradbury, “Updated Okta Statement on LAPSUS$,” Okta Blog, 22 March 2022.
[6] Jurgita Lapienytė, “Here’s what makes Lapsus$ stand out from other extortion groups,” Cybernews, 23 March 2022.