It turns out that a hacker group 'LAPSUS $' attracting attention by attacking many large companies hacked into Okta, an access management company

The international hacker group ' LAPSUS$ ', which has been attracting attention for hacking many large companies such as Samsung andNVIDIA , has hacked Okta , an American company that provides access management services for companies. turned out to be

Updated Okta Statement on LAPSUS$ | Okta
https://www.okta.com/blog/2022/03/updated-okta-statement-on-lapsus/

Hackers hit authentication firm Okta, customers 'may have been impacted' | Reuters
https://www.reuters.com/technology/authentication-services-firm-okta-says-it-is-investigating-report-breach-2022-03-22/

Okta investigating claims of customer data breach from Lapsus$ group
https://www.bleepingcomputer.com/news/security/okta-investigating-claims-of-customer-data-breach-from-lapsus-group/

Okta confirms support engineer's laptop was hacked in January
https://www.bleepingcomputer.com/news/security/okta-confirms-support-engineers-laptop-was-hacked-in-january/

On March 22, 2022 local time, screenshots and messages posted on the Telegram channel by LAPSUS$ hackers circulated on social media. The posted screenshot shows that the hacker accessed Okta's internal control panel, and the hacker's target is not Okta but a company that uses Okta.

Oh man, if this it what it looks (Okta got popped)… Blue Team everywhere is gonna be crazy busy.pic.twitter.com/PY4dIzfwvM

— _MG_ (@_MG_) March 22, 2022

In response to the tweet, Okta CEO Todd McKinnon said, ``In late January 2022, Okta detected an attempt to compromise the account of a third-party customer support engineer who is a contractor. , was contained.” “Screenshots shared online appear to be related to this January’s events. There is no evidence that any activity is going on.'

We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January. (2 of 2)

—Todd McKinnon (@toddmckinnon) March 22, 2022

According to a statement Okta later released, the hacker was able to access the support engineer's laptop for five days from January 16 to January 21, 2022. Chief Security Officer David Bradbury commented, ``Okta's services have not been compromised and remain fully operational.There are no corrective actions for customers to take.''

However, Bradbury said in the same statement, 'The potential impact on Okta's customers is limited to the access that support engineers have. These engineers cannot create or delete users or download customer databases. Support engineers have access to the limited data shown in the screenshot ( Jira tickets and user list) as well as facilitate resetting user passwords and multi-factor authentication. We cannot retrieve those passwords,' he said, adding that he continues to identify and contact customers who may have been affected.

Reuters, an overseas media outlet, said some experts looking at the issue from the outside have doubts about Okta's explanation. 'It seems to me that Okta is trying to downplay the attack as much as possible, going so far as to directly contradict itself in its statements,' said independent security researcher Bill Demirkapi . In addition, Dan Tentler, founder of the cybersecurity consultancy Phobos Group , said, ``(Okta customers) should be very vigilant now.''

Cloudflare also reports the results of an internal investigation related to the LAPSUS$ attack on Okta. According to Cloudflare, an investigation team was immediately launched after an employee who noticed a tweet showing an attack on Okta by LAPSUS$ contacted the Security Incident Response Team (SIRT). The investigative team examined relevant audit logs, contacted Okta for information, and took action, including suspending the accounts of potentially affected users. In addition, it seems that 144 employees whose passwords and multi-factor authentication were reset after December 1, 2021 were forced to reset and change their passwords. Upon investigation, Cloudflare concluded that there was no breach related to the Okta hack.

Cloudflare's investigation of the January 2022 Okta compromise
https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/

In addition, LAPSUS$ announced on March 20, local time, 'Hacked Microsoft', and Microsoft also acknowledged the hacking damage and released the details.

Microsoft's source code was stolen by the hacker group 'LAPSUS $' and 37 GB was leaked to the net, and Microsoft also acknowledged hacking damage - GIGAZINE

・Continued
A teenage suspect emerged as a central figure in the hacker group ``LAPSUS$'' that hacked Microsoft and others - GIGAZINE