It has been confirmed this week (21 March 2022) that technology giant Microsoft and Okta, a California based identity authentication service with more than 15,000 customers, were breached by the LAPSUS$ hacking group, a relatively new cyber criminal group, whose focus is extortion. The details of the breaches have now been published, and are likely to have serious ramifications for businesses but also serves as a lesson in how to manage (or not!) security in organisations.
In this case of Okta, the LAPSUS$ group was able to leverage a third-party contractors access to the customer support system for a five-day window in January 2022. The unidentified access to the system was also compounded by the level of system access the compromised account had. The account reportedly had access to the “superuser” portal with the ability to reset passwords and MFA for 95% of clients.
This published information raises several questions around the level of access and the timings of the access along with the date of the subsequent disclosure. It appears Okta were aware of the compromise but the details were not publicly disclosed until some two months later.
Most incident response plans will have a documented notification period when there is a confirmed breach, which is usually 72 hours. There are many regulatory requirements that require companies to report breaches in a timely fashion, but it’s also vital to inform clients and customers of any potential breach as soon as it occurs from a mitigation perspective but also from a reputational perspective. It will be interesting to see what impact the late disclosure will have on the company.
Okta stated that “The potential impact to Okta customers is limited”, but given the access level disclosed and the potential ability to reset 95% of clients’ passwords and MFA details this goes against this narrative.
The LAPSUS$ hacking group has released further details on their Telegram channel with a rebuttal to the details released by Okta. It initially seems that the response from Okta was later than it should have been and didn’t capture the severity of the breach.
While Okta has ISO27001, 27017 and 27018 certifications there does appear to be some gaps in ensuring the identified controls were adequate and proportionate to the risks posed to the business. It appears that some basic security measures were not put in place to protect data sprawl and it is reported that AWS keys were stored in clear on Slack channels with limited access restrictions to those channels.
This could be a case of a policy stating this shouldn’t happen, however the policy could also be too onerous, and nobody is reading it. Additionally, if there are ineffective technical controls in place to restrict employees or contractors from storing these keys on Slack in the first place then this has added to the situation. But despite companies potentially having the right policies and procedures in place, if there is no effective training within the organisation of anyone who has access to systems then all the policies and technical controls in the world will be ineffective against human error.
There are many challenges to the way teams collaborate with tools such as Slack and Microsoft Teams. These platforms enable data to be stored and teams to communicate more effectively, which can be hugely beneficial to businesses. However as our reliance on these platforms and tools grows so does the need to ensure a full security overview is carried out before any deployment and an ongoing review of access and feature changes should be carried out as updates become available.
The Okta breach in particular highlights that even a large multinational company with a hefty security budget can be breached. But this breach will unfortunately not be the last, it is just the latest in a long line of high-profile hacks involving NVIDIA, SAMSUNG and Vodafone to name just a few.
Hacking groups like LAPSUS$ will continue to exploit the weaknesses of organisations which is why it is vital that everyone within an organisation takes security seriously at all levels, it is everybody’s responsibly not just that of the IT and/or security teams. It also proves the point that security is not a “set and forget” activity and that constant monitoring and review is absolutely paramount to maintaining a strong security position.
CSS Assure can help to make cyber and data security simple, we offer a number of services that help businesses identify where they can increase their security posture and protect data. Our team of experts can help you to better protect the most important data and systems you have in your business.