The Lapsus $ blackmail crew has turned its attention to the identity platform Okta published screenshots allegedly showing that the group is gaining access to the company’s internals.
The incident follows the group’s claim over the weekend that it ended up with pieces of Microsoft code. However, a compromise with Octa could be much more serious as the company’s services are used by many others to manage network and application access as well as user identities.
At first glance, it seems that the group gained access to a “superuser” account as well as other internal tools. Okta has yet to confirm that this is the case.
Also relevant is the fact that the screenshots seem to come from January 2022, which could mean that it has been accessible for some time. It could also be that some sort of compromise occurred shortly after, and hackers have now chosen to show their skill. Octa CEO Todd McKinnon reckoned it was the latter.
We believe the screenshots shared online will be associated with this January event. Based on our investigation to date, there is no evidence of further malicious activity beyond the activity detected in January. (2 of 2)
Todd McKinnon (@toddmckinnon) March 22, 2022
Either way, if a violation occurs, the implications are grave. Oliver Pinson-Roxburgh, CEO of security equipment Bulletproof, warned: “As a gatekeeper for the networks and data of thousands of organizations, a breach at Octa would have significant consequences.”
“Even before the truth of such an incident is confirmed,” he continued, “it is necessary for businesses to take proactive steps now – any delay risks spreading the potential attack.”
Oz Alashe, CEO of CybSafe and President of the UK Government DCMS Industry Expert Advisory Group on Cyber Resilience, said: “The potential attack on OCTA is a significant reminder of the cyber risks of the supply chain. An authentication tool such as OCTA offers d ‘Ability to break hundreds of large companies into one sweep.
However, Alashe warned: “While Okta’s investigation is under way, it is important that the security community does not jump to conclusions and harass its security team during this difficult time.”
That said, some companies have no chance. Cloudflare, which uses Octa as an identity provider, announced that it would recover Octa employees’ credentials. Just in case.
We’ll set you up @Okta Login information of all employees who have changed their passwords in the last 4 months, due to excess of caution. We have not confirmed any compromise. Octa is a layer of security. Since they may have an issue, we are evaluating alternatives for this layer.
– Matthew Prince 🌥 (@eastdakota) March 22, 2022
The Register Contacted Okta for comment, but the company only repeated McKinnon’s tweeted comments.
As the investigation continues, let’s take a moment to review Okta’s recent broadcasts from his social media opening. We sincerely hope he does not end up in the “old bad” bucket. ®
🌟 Octa Custom Admin Roles – now available to any client!
Learn more about our up-to-date administrative experience that goes far beyond industry standards, offers even more flexibility 🤸♀️ + Security 🔐
See how it’s done👇 + learn more 👉 pic.twitter.com/K9X4a6fpdG
– Okta (@okta) March 21, 2022

Add Comment