First Microsoft, then Okta: New ransomware gang posts knowledge from each

A comparatively new entrant to the ransomware scene has made two startling claims in current days by posting pictures that seem to point out proprietary knowledge the group says it stole from Microsoft and Okta, a single sign-on supplier with 15,000 prospects.

The Lapsus$ group, which first appeared three months in the past, stated Monday night on its Telegram channel that it gained privileged entry to a few of Okta’s proprietary knowledge. The declare, if true, might be severe as a result of Okta permits staff to make use of a single account to log in to a number of companies belonging to their employer.

Gaining “Superuser” standing

“BEFORE PEOPLE START ASKING: WE DID NOT ACCESS/STEAL ANY DATABASES FROM OKTA,” the Telegram submit said. “Our focus was ONLY on okta prospects.”

Okta co-founder and CEO Todd McKinnon said on Twitter that the info seems to be linked to a hack that occurred two months in the past. He defined:

In late January 2022, Okta detected an try to compromise the account of a third-party buyer assist engineer working for one in every of our subprocessors. The matter was investigated and contained by the subprocessor. We imagine the screenshots shared on-line are related to this January occasion. Based mostly on our investigation thus far, there isn’t any proof of ongoing malicious exercise past the exercise detected in January.

In a post printed later, Okta Chief Safety Officer David Bradbury stated there had been no breach of his firm’s service. The January compromise try referenced in McKinnon’s tweet was unsuccessful. Okta nonetheless retained a forensics agency to analyze and lately acquired its findings.

“The report highlighted that there was a five-day window of time between January 16-21, 2022, the place an attacker had entry to a assist engineer’s laptop computer,” the Okta submit stated. “That is in line with the screenshots that we turned conscious of yesterday.”

The submit continued:

The potential impression to Okta prospects is restricted to the entry that assist engineers have. These engineers are unable to create or delete customers or obtain buyer databases. Help engineers do have entry to restricted knowledge—for instance, Jira tickets and lists of customers—that have been seen within the screenshots. Help engineers are additionally capable of facilitate the resetting of passwords and MFA components for customers, however are unable to acquire these passwords.

We’re actively persevering with our investigation, together with figuring out and contacting these prospects that will have been impacted. There is no such thing as a impression to Auth0 prospects, and there’s no impression to HIPAA and FedRAMP prospects.

Lapsus$ promptly responded to the Okta submit by calling the claims “lies.”

“I am STILL not sure the way it’s [an] unsuccessful try?” the submit said. “Logged in to superuser portal with the power to reset the Password and MFA of ~95% of shoppers is not profitable?”

The rebuttal added: “The potential impression to Okta prospects is NOT restricted, I am fairly sure resetting passwords and MFA would lead to full compromise of many purchasers techniques.”

Lapsus$’s Monday night submit was accompanied by eight screenshots. One appeared to point out somebody logged right into a “Superuser” dashboard belonging to Cloudflare, a content-delivery community that makes use of Okta companies. One other picture confirmed what gave the impression to be a password change for a Cloudflare worker.

Cloudflare founder and CEO Matthew Prince responded a number of hours later that Okta could have been compromised however, in any occasion, “Okta is merely an id supplier. Fortunately, we have now a number of layers of safety past Okta and would by no means take into account them to be a standalone choice.”

In a separate tweet, Prince stated Cloudflare was resetting Okta credentials for workers who modified their passwords up to now 4 months. “We have confirmed no compromise,” he added. “Okta is one layer of safety. Given they could have a problem, we’re evaluating alternate options for that layer.”

Cloudflare has since printed this account of its investigation into the breach.

Different pictures within the Lapsus$ submit present somebody logged in to what seems to be an inner Okta system, an inventory of Okta’s Slack channels, and among the apps out there to Okta staff.

Okta companies are authorised to be used by the US authorities beneath a program often known as FedRAMP, which certifies that cloud-based companies meet minimal safety necessities.

“For a service that powers authentication techniques to most of the largest companies (and FEDRAMP authorised), I believe these safety measures are fairly poor,” gang members wrote within the Monday Telegram submit.

Microsoft

Over the weekend, the identical Telegram channel posted pictures to assist a declare Lapsus$ made that it breached Microsoft techniques. The Telegram submit was later eliminated—however not earlier than safety researcher Dominic Alvieri documented the hack on Twitter.

On Monday—a day after the group posted after which deleted the pictures—Lapsus$ posted a BitTorrent hyperlink to a file archive that purportedly contained proprietary supply code for Bing, Bing Maps, and Cortana, all of that are Microsoft-owned companies. Bleeping Laptop, citing safety researchers, reported that the contents of the obtain have been 37GB in dimension and gave the impression to be real Microsoft supply code.

Microsoft on Tuesday stated solely: “We’re conscious of the claims and investigating.”

Lapsus$ is a risk actor that seems to function out of South America or probably Portugal, researchers at safety agency Test Level stated. In contrast to most ransomware teams, the agency stated, Lapsus$ does not encrypt the info of its victims. As a substitute, it threatens to launch the info publicly until the sufferer pays a hefty ransom. The group, which first appeared in December, has claimed to have efficiently hacked Nvidia, Samsung, Ubisoft, and others.

“Particulars of how the group managed to breach these targets has by no means absolutely been defined,” Test Level researchers wrote in a Tuesday morning post. “If true, the breach at Okta could clarify how Lapsus$ has been capable of obtain its current profitable run.”