First Microsoft, then Okta: New Ransomware Gang Posts Data From Both

Vector of ransom note with letters cut out from newspapers and magazines.

In recent days, a relative new to the ransomware scene has made two surprising claims by posting images showing proprietary data the team says it stole from Microsoft and Okta. , a single sign-on service provider with 15,000 customers.

The Lapsus$ team, which first appeared three months ago, said Monday night on their Telegram channel that they had obtained privileged access to some of Okta’s proprietary data. The claim, if true, could be serious because Okta allows employees to use a single account to log into multiple services belonging to their employer.

Achieve “Super User” status

“BEFORE EVERYONE STARTS ASKING: WE DO NOT ACCESS/STEAL ANY DATABASE FROM OKTA,” the Telegram post states. “We only focus on okta customers.”

Okta Co-Founder and CEO Todd McKinnon speak on Twitter that the data appeared to be related to a hack that occurred two months ago. He explained:

In late January 2022, Okta discovered an attempt to compromise the account of a third-party customer support engineer who worked for one of our subprocessors. The matter has been investigated and resolved by the sub-processor. We believe the screenshots shared online are related to this January event. Based on our investigation to date, there is no evidence of malicious activity taking place other than that detected in January.

In one parcel announced later, Okta’s Chief Security Officer David Bradbury said there had been no breach of his company’s services. The January compromise attempt mentioned in McKinnon’s tweet was unsuccessful. Okta still kept a forensics company for investigation and recently received their findings.

“The report highlights that there was a 5-day period between January 16 and 21, 2022 where an attacker gained access to a support engineer’s laptop,” Okta’s post reads. know. “This is consistent with the screenshot we learned yesterday.”

Next post:

The potential impact on Okta customers is limited to the accessibility that support engineers have. These engineers cannot create or delete users or download customer databases. Support engineers have access to limited data — for example, Jira tickets and user lists — seen in the screenshot. Support engineers were also able to facilitate password resets and MFA elements for users, but were unable to obtain those passwords.

We are actively continuing to investigate, including identifying and contacting customers who may have been affected. There is no impact on Auth0 clients and no impact on HIPAA and FedRAMP clients.

Lapsus$ was quick to respond to Okta’s post by calling its claims “lies”.

“I’m STILL not sure what it’s like [an] failed attempt? “post stated.” Logging into the superuser portal with the ability to reset Passwords and MFAs of ~95% of clients fails? “

The rebuttal added: “The potential impact on Okta customers is UNLIMITED, I’m fairly certain that resetting passwords and MFA will result in complete compromise of many customer systems.”

Lapsus $’s Monday night post includes eight screenshots. One appeared to show someone logged into the “Superuser” dashboard of Cloudflare, a content delivery network that uses Okta’s services. Another image shows what appears to be a password change for a Cloudflare employee.

Cloudflare Founder and CEO Matthew Prince answered hours later Okta may have been compromised but in any case, “Okta is just an identity provider. Thankfully, we have many layers of security beyond Okta and would never consider them an option. independence.”

In one separate tweetsPrince said Cloudflare is resetting Okta logins for employees who have changed their passwords in the past four months. “We have confirmed there is no compromise,” he added. “Okta is a layer of security. Since they can be problematic, we are evaluating alternatives to that layer.”

Cloudflare has been published since then this account about its investigation of the breach.

Other images in Lapsus$’s post show someone logged into Okta’s internal system, a list of Okta’s Slack channels, and some apps available to Okta employees.

Okta services are approved for use by the US government under a program known as FedRAMP, which certifies that cloud-based services meet minimum security requirements.

“For a service that provides an authentication system for many of the largest corporations (and which FEDRAMP has approved), I think these security measures are quite poor,” gang members wrote in a Telegram post today. Monday.


Over the weekend, the same Telegram channel posted images to support an allegation made by Lapsus$ that it violated Microsoft’s systems. The Telegram post was later deleted — but not before security researcher Dominic Alvieri record the hack on Twitter.

On Monday — a day after the team posted and subsequently removed the image — Lapsus$ posted a BitTorrent link to a purported file archive containing proprietary source code for Bing, Bing Maps, and Cortana, all of which are services owned by Microsoft. Bleeping Computer, citing security researchers, report that the download is 37GB and appears to be genuine Microsoft source code.

Microsoft on Tuesday only said: “We are aware of the claims and are investigating.”

Lapsus$ is a threat actor that appears to be active outside of South America or possibly Portugal, according to researchers at security firm Checkpoint. Unlike most ransomware groups, the company says, Lapsus$ does not encrypt victims’ data. Instead, it threatens to reveal the data publicly unless the victim pays a hefty ransom. This group, which first appeared in December, has claimed to have successfully hacked Nvidia, Samsung, Ubisoft and others.

“The details of how the team managed to breach these goals have never been fully explained,” the Checkpoint researchers wrote in Tuesday morning post. “If true, the Okta breach could explain how Lapsus$ has been able to achieve recent success.”

Source link


News5s: Update the world's latest breaking news online of the day, breaking news, politics, society today, international mainstream news .Updated news 24/7: Entertainment, the World everyday world. Hot news, images, video clips that are updated quickly and reliably

Related Articles

Back to top button