Okta says 2.5% of customers breached, as Lapsus$ sows disorder

Dive Brief:

A breach at Okta affected 2.5% of its customers, the identity and access management firm said Tuesday night, after earlier denying an ongoing security incident following claims from the extortion group Lapsus$.
Okta identified and contacted the 366 customers "whose data may have been viewed or acted upon," the company said.
Lapsus$ also claimed to have breached Microsoft, which confirmed Tuesday night an account was compromised, granting limited access. A Microsoft spokesperson said, "Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity."

Dive Insight:

A relatively new extortion gang, Lapsus$ has targeted high-profile technology companies, including Nvidia, boasting of exploits online.

Okta CSO David Bradbury said the sharing of the screenshots related to the breach "embarrassing to myself and the whole Okta team," in an investigation statement released Tuesday.

The screenshots were taken from a support engineer's computer at third-party provider Sitel, which was compromised using RDP to gain remote access. Because of the limits to support engineer access, "the information and the actions were constrained," Bradbury said.

The breach at Okta highlights the work companies need to do to vet third-parties, contractors and their employees, said Andras Cser, VP and principal analyst of security and risk management at Forrester. This includes auditing compliance and penetration testing checks and third-party access monitoring processes.

Companies also need to employ zero trust principles when assigning entitlements to subprocessor employees, Cser siad in an email.

Lapsus$, which emerged in mid-2021, primarily relies on data theft extortion for financial gain, without encrypting networks, said Joshua Shilko, senior principal analyst at Mandiant, in an email to Cybersecurity Dive. "The group also appears to be motivated by notoriety and at least some of their extortion demands have leaned toward hacktivism."

Screenshots claiming successful breaches of companies are circulated through social media, putting companies on the defensive. After Okta repeated it had not suffered a breach, Lapsus$ circulated a statement goading the company's response, according to a copy of the statement shared by Emsisoft Threat Analyst Brett Callow on Twitter.

The group is unique in its flashiness, as many threat groups remain under the radar, Microsoft said. Typically, Lapsus$ uses tactics to compromise user identities to gain initial access, including purchasing credentials, paying employees at targeted organizations and searching public code repositories for breached credentials.

Microsoft, which labeled Lapsus$ DEV-0537, said the group started targeting organizations in the U.K. and South America, before expanding to global targets, according to threat research published Tuesday. While it doesn't deploy ransomware, the group is known for individual user account takeover at cryptocurrency exchanges to drain holdings.

Mandiant observed Lapsus$ using defacement, occasionally destructive attacks, on top of publc naming, shaming and data leaks, Shilko said. "Based on their public persona, they also seem to enjoy letting everyone know about those accesses. They enjoy the spotlight, which is somewhat unique."