Okta, a massively popular company which provides identity and access management (IAM) services to clients worldwide, was recently targeted by threat actor Lapsus$.

The compromise of Okta and other providers of IAM services is highly sensitive and potentially far-reaching as Okta’s IAM services alone allow approximately 15,000 companies to securely log into multiple services via Single Sign-On (SSO). This method allows users to securely authenticate multiple applications using one single set of credentials as opposed to unique ones for each individual service.

Lapsus$ does not appear to have a specific industry vertical it targets as public networks within European and South American organizations have also been compromised. The group has publicly boasted about obtaining stolen source code from Microsoft relating to Bing and Cortana as well.

The timeline of Okta’s breach events is under scrutiny as the threat actor disputes the official statements provided by Okta. However, it is understood that the breach occurred at some time within the last three to six months. This information is particularly concerning as a client of Okta, such as FedEx or Cloudflare, could invariably impact numerous users per compromised Okta client account.

Okta acknowledged the cyberattack after Lapsus$ used their Telegram channel to release screenshots of compromised credentials. According to Okta, the breach was conducted through the compromise of an individual workstation of a subcontractor who had access to the Okta network. This remote desktop was then leveraged to take the screenshots.

Within those screenshots, Lapsus$ shows the credentials it had gained access to, which rose to the level of administrator.

If true, that depth of compromise could be extremely devastating to end-users at companies using Okta as their SSO solution as the risk of having privileged access available through a third party creates a significant opportunity for exploitation.

To reduce the impact of this type of attack, users and network administrators are strongly urged to implement the following security measures immediately:

  • Itemize all network resources and third-party access to the network and individual endpoints.
  • Disable any default credentials to access your platforms.
  • Break your system’s access into different roles and give minimum permissions and access to those roles as needed.
  • Update and patch your software in a timely manner.
  • Use password managers to handle different sets of credentials and use randomly generated passwords.

BinaryLab’s ethos of enumerating, evaluating, and understanding the threat surface of an individual network can be used for such large-scale enterprises.

BinaryLab is committed to protecting clients’ sensitive data by proactively addressing security concerns, as well as providing relevant and timely security expertise. For an assessment or more information, contact BinaryLab at 301-337-3131.

About the author

Sergio Orellana
Sergio OrellanaChief Cybersecurity Director

Sergio Orellana is the Chief Cybersecurity Officer of BinaryLab and leads the creation and delivery of enterprise-class cybersecurity and compliance solutions. He is a breach response expert with more than a decade of experience working on large and complex security incidents and investigations.

Learn more about Sergio here.