Claimed Okta customer breach could be ‘extremely serious’

Did you miss a session at the Data Summit? Watch On-Demand Here.

Claims by a hacking group that it has breached customers of major identity and access management vendor Okta are being viewed as credible, raising questions about the extent and severity of the potential breach.

The threat actor that claims to be behind the breach, Lapsus$, has previously stolen and leaked data from Nvidia and Samsung. And this week, the group claimed to have posted Microsoft source code on its Telegram channel.

Just hours after posting the claimed Microsoft source code, Lapsus$ posted screenshots of what it said were “access to Superuser/Admin and various other systems.”

Okta’s stock price was down $5.49, or about 3.2%, as of mid-afternoon ET on Tuesday. An analyst at Truist, Joel Fishbein, reportedly called the claimed breach “concerning” amid cutting his rating on Okta.

“The breach is potentially extremely serious,” said Brett Callow, a threat analyst at cybersecurity firm Emsisoft who has been following the activities of Lapsus$.

“Lapsus$ are basically saying they were less interested in Otka than they were in the company’s customers,” Callow said in a message to VentureBeat. “So it’s potentially a supply chain scenario in which one compromise results in many.”

Possible access to many tenants

Bojan Simic, cofounder and CEO of passwordless multifactor authentication vendor HYPR, noted that while the severity of this breach isn’t fully known yet, Okta manages the identities for about 15,000 companies in total.

This means that “certain individuals within Okta (and their subprocessors) have access to the data and infrastructure that contains the identities of most of their customers,” Simic said in an email to VentureBeat. “This access is given to support and manage the customers’ environment on a day to day basis.”

Thus, “if someone like the Lapsus group was to get access to these systems, they could potentially get access to hundreds of Okta tenants in a single shot instead of having to target individual Okta customers,” Simic said.

Okta did not respond to a request for comment from VentureBeat. In a pair of tweets Tuesday, Okta cofounder and CEO Todd McKinnon said that the company believes the “screenshots shared online” are connected to an attempted compromise of “a third party customer support engineer working for one of our subprocessors” in January.

“The matter was investigated and contained by the subprocessor,” McKinnon said on Twitter. “Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.”

Credible claims

Lapsus$ specified that it did not access Okta itself. “Our focus was ONLY on okta customers,” the group said in its Telegram post.

Security experts that spoke with Reuters said the breach appears to be real and credible.

Lapsus$ is believed to operate in South America. Over the past month, vendors including Nvidia and Samsung Electronics confirmed the theft of data by the threat actor. On March 1, for instance, Nvidia said that “we are aware that the threat actor took employee credentials and some Nvidia proprietary information from our systems and has begun leaking it online.”

Stolen Nvidia data reportedly included designs of graphics cards and source code for DLSS, an AI rendering system. Meanwhile, on Monday, Lapsus$ claimed to have posted Microsoft source code for Bing, Bing Maps and Cortana. Microsoft said it is aware of the claims and is investigating them.

“Given the lack of a denial from Microsoft and Lapsus$’ past victims, their claims are not entirely implausible,” Callow said in a previous message to VentureBeat.

Experts have said that Lapsus$’ motives remain unclear, given the lack of financial demands in the past.

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn More

Source: Read Full Article