Posted on March 22, 2022 at 7:08 PM

Thousands Of Businesses Put On Red Alert After The Hack Of Okta by Lapsus$

Leading provider of authentication services Okta says it is investigating an incident of the data breach on its server. This is coming barely 24 hours after ransomware group Lapsus$ posted screenshots in their Telegram channel, revealing what it claims to be customer data and administrative consoles they stole from Okta.

Okta is a publicly-traded company with a market capitalization of over $6 billion and more than 5,000 workers across the world. The company offers authentication and identity management services to top organizations around the world, including Starling Bank, Pret a Merger, Siemens, and ITV.

Okta said it detected a hacking attempt to infiltrate the account of one of its third-party customer support engineers working for one of its subprocessors. The company said it immediately investigated and contained the matter. Okta says it believes the screenshots shared by the Laspsus$ group are connected to the hacking incident that took place in January.

“Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January,” Okta stated.

But based on one of the screenshots posted by the group, Lapsus$ could change customer passwords using Kota’s admin panel.

The Lapsus$ Group Attacked To Steal Customers’ Information

Based on the nature of the attack and what has been stolen, it appears that the main area of interest is not the company’s database but the details containing the customers’ information.

Security researchers and analysts are concerned that the threat actors could have used the “superuser” access to compromise customers’ servers who use the firm’s authentication solutions.

Lapsus$ also confirmed this theory when they started that they did not attack Okta to steal the company’s databases but to target their customers.

This will be a major issue for many companies who use Okta’s service, which includes JetBlue, Hewlett Packard Enterprise, SONOA, Peolton, T-Mobile, and FedEx.

Lapsus$ On A Hacking Spree

The latest hacking incident follows the claims by the Lapsus$ group that it infiltrated Microsoft’s internal Azure DevOps server. The group recently leaked 37 GB of stolen data code from Cortana, Bing, and other Microsoft projects. Microsoft said the incident is still under investigation.

Also, the group has claimed to have infiltrated the database of LG Electronics for the second time this year, although LG Electronics has not confirmed the claims yet.

Lapsus$ has been terrorizing companies and large corporations this year. The group has previously leaked proprietary data allegedly stolen from major companies like Mercado Libre, NVIDIA, and Samsung. These companies have also confirmed that they have suffered a breach.

Lapsus$ does not operate like other ransomware gangs that encrypt confidential files and demand ransom before decrypting and releasing the files.

The group steals and holds on to their victims’ proprietary data and publishes them when their ransom demands are not met.

It’s Not Clear How Many Customers Were Affected

Lapsus$ has been very active in recent weeks, as major companies are now at red alert when it comes to the security of their servers against the group.

Apart from the screenshots of the stolen data, the Lapsus$ hacking group also pointed out the poor nature of Okta’s security measures, which gave the group easy access.

“For a service that powers authentication systems to many of the largest corporations, I think these security measures are pretty poor […],” the group says.

If the breach claim by Lapsus$ were to be true, it is still not clear how many victims will be affected and to what extent.

Several Organizations Put On Red Alert

Okta noted that based on its investigation, the shared screenshot on the Telegram site appears to relate to the “container” security incident that occurred in January this year. Chief Executive Officer of Cloudflare, Mathew Prince, commented on the issue in a tweet.

He stated that although the company is aware that Okta may have been breached, there is no evidence that Cloudflare has been affected. He added that Cloudflare boasts of several layers of security beyond Okta, and doesn’t take them as a standard option for its security.

 Other technology vendors and customers of Okta have not commented on the development. While the investigation into the whole situation is going on, more information about the breach and how far it has impacted affiliated companies will be known soon. The latest exposure of Okta’s database has put several organizations on red alert, especially towards the increasingly notorious Lapsus$ group.