It turns out that the hacker group 'LAPSUS $' that has attacked many large companies and attracted attention has hacked the access management company Okta
The international hacker group ' LAPSUS $ ', which has been attracting attention for hacking many large companies such as Samsung andNVIDIA , has hacked Okta , an American company that provides access control services for companies. Turned out.
Updated Okta Statement on LAPSUS $ | Okta
Hackers hit authentication firm Okta, customers'may have been impacted' | Reuters
Okta investigating claims of customer data breach from Lapsus $ group
Okta confirms support engineer's laptop was hacked in January
On March 22, 2022 local time, screenshots and messages posted on the Telegram channel by LAPSUS $ hackers appeared on social media. The screenshot posted shows that the hacker has accessed Okta's internal control panel, and the hacker's target is a company that uses Okta instead of Okta.
Oh man, if this it what it looks (Okta got popped)… Blue Team everywhere is gonna be crazy busy. Pic.twitter.com/PY4dIzfwvM— _MG_ (@_MG_) March 22, 2022
In response to this tweet, Okta CEO Todd McKinnon said, 'In late January 2022, Okta detected an attempt to compromise the account of a third-party customer support engineer who was a contractor. The issue was investigated by the contractor. , Contained. ”“ The screenshots shared online appear to be related to this January event. According to previous research, other than the activity detected in January, it is malicious. There is no evidence that an activity is underway. '
We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January. (2 of 2)— Todd McKinnon (@toddmckinnon) March 22, 2022
According to a subsequent statement released by Okta, hackers were able to access the support engineer's laptop for five days from January 16th to January 21st, 2022. 'Okta's services have not been compromised and remain fully operational. There are no corrective actions you should take,' said David Bradbury, Chief Security Officer.
However, in the same statement, Bradbury said, 'Okta's potential impact on customers is limited to the access that support engineers have. These engineers can create or delete users or download customer databases. Although support engineers can access the limited data ( Jira tickets and user lists) shown in the screenshots, as well as facilitate resetting of user passwords and multi-factor authentication. , It is not possible to obtain those passwords, 'he said, and continues to identify and contact customers who may have been affected.
Foreign media Reuters said that some experts looking at the issue from the outside are skeptical of Okta's explanation. 'Okta seems to me to try to downplay the attack as much as possible, and has gone as far as to make a direct conflict in its statement,' said Bill Demirkapi , an independent security researcher. '(Okta's customers) should be very vigilant right now,' said Dan Tentler, founder of cybersecurity consultancy Phobos Group .
Cloudflare also reports the results of an internal investigation related to the LAPSUS $ attack on Okta. According to Cloudflare, an employee who noticed a tweet indicating an attack on Okta by LAPSUS $ contacted the Security Incident Response Team (SIRT), and an investigation team was immediately launched. The research team looked at the relevant audit logs, contacted Okta for information, and took action, such as suspending the accounts of potentially affected users. He also said that he forced 144 employees who had their passwords and multi-factor authentication reset after December 1, 2021 to reset and change their passwords. As a result of the investigation, Cloudflare concludes that there were no hack-related infringements on Okta.
Cloudflare's investigation of the January 2022 Okta compromise
In addition, LAPSUS $ announced on March 20, local time that it was 'hacked by Microsoft', and Microsoft also acknowledged the hacking damage and disclosed the details.
Microsoft's source code was stolen by hacker group 'LAPSUS $' and 37GB was leaked to the net, Microsoft also admits hacking damage --GIGAZINE