- On March 22nd, 2022, the LAPSUS$ threat group published potential evidence of a successful breach of Okta, a widely used identity provider.
- This publication was released following multiple claims of successful attacks by LAPSUS$, potentially leveraging the initial Okta breach.
- At this stage, it is unclear how much of the reported attack has indeed taken place and what the full security ramifications may be.
- This also means there is currently no indication of specific failures on the part of Okta or reason to rush into replacing identity providers before the dust settles and the full picture is revealed.
- While there has been much speculation linking recent attacks to the Russia-Ukraine conflict, there is currently no evidence to suggest this is connected. Moreover, most indications suggest the LAPSUS$ group is likely Latin-American and therefore not directly connected to the Russia-Ukraine conflict.
- Nevertheless, for organizations leveraging Okta solutions, we recommend a precautionary approach and taking several measures to mitigate potential risk.
- We’ll continue updating this advisory as new information is released.
While the full scope and impact of the potential attack is not yet clear, the following precautionary steps are recommended to ensure that potential damage is contained:
- Credential Rotation. Rotate critical credentials managed in Okta solutions, including API keys, passwords, and Multi Factor Authentication tokens. Once this is accomplished, and as new information comes to light, full rotation of all Okta credentials may be advised.
- Okta Log Investigation. Perform a focused investigation into Okta logs to identify irregular access which may indicate malicious activity targeting organizational credentials and systems. This investigation should initially focus on identifying irregular access such as access from uncommon IP address ranges and User Agents or access at highly irregular times of the day or week. If possible, perform these analyses going back to the end of 2021 to cover the currently understood potential length of the breach.
- Critical Asset Access Investigation. Perform a focused investigation to identify potential malicious access to organizational resources leveraging credentials managed in Okta, as per recommendation above. If such activities are identified, a deep dive investigation should be initiated to assess the full potential scope of the breach.
- Privileged Credential Persistence Review. Perform a targeted review of recently created privileged credentials and roles, to identify the potential creation of identity persistence by attackers who may have gained access to the organization leveraging Okta.
- Long-Term Visibility Assurance. In the longer-term, this potential attack serves as a reminder for organizations to ensure that they forward critical access logs from tier-0 infrastructure and applications to a centralized solution, which can enable effective analysis and identification of anomalies in case of suspected attacks.
To learn more about Sygnia's Incident Response services click here.
If you are currently concerned or impacted by the Okta breach, or are seeking guidance, please contact us at firstname.lastname@example.org or our 24/7 hotline +1-877-686-8680
This advisory and any information or recommendation contained herein has been prepared for general informational purposes and is not intended to be used as a substitute for professional consultation on facts and circumstances specific to any entity. While we have made attempts to ensure the information contained herein has been obtained from reliable sources and to perform rigorous analysis, this advisory is based on initial rapid study, and needs to be treated accordingly. Sygnia is not responsible for any errors or omissions, or for the results obtained from the use of this Advisory. This Advisory is provided on an as-is basis, and without warranties of any kind.
Tag(s): Featured , Advisory , Incident Response , Threat Hunting