Lapsus$ does not appear to have a specific industry vertical it targets as public networks within European and South American organizations have also been compromised. The group has publicly boasted about obtaining stolen source code from Microsoft relating to Bing and Cortana as well.
The timeline of Okta’s breach events is under scrutiny as the threat actor disputes the official statements provided by Okta. However, it is understood that the breach occurred at some time within the last three to six months. This information is particularly concerning as a client of Okta, such as FedEx or Cloudflare, could invariably impact numerous users per compromised Okta client account.
Okta acknowledged the cyberattack after Lapsus$ used their Telegram channel to release screenshots of compromised credentials. According to Okta, the breach was conducted through the compromise of an individual workstation of a subcontractor who had access to the Okta network. This remote desktop was then leveraged to take the screenshots.
Within those screenshots, Lapsus$ shows the credentials it had gained access to, which rose to the level of administrator.
If true, that depth of compromise could be extremely devastating to end-users at companies using Okta as their SSO solution as the risk of having privileged access available through a third party creates a significant opportunity for exploitation.
To reduce the impact of this type of attack, users and network administrators are strongly urged to implement the following security measures immediately:
- Itemize all network resources and third-party access to the network and individual endpoints.
- Disable any default credentials to access your platforms.
- Break your system’s access into different roles and give minimum permissions and access to those roles as needed.
- Update and patch your software in a timely manner.
- Use password managers to handle different sets of credentials and use randomly generated passwords.