On Monday, 21 March 2022, Okta, an enterprise identity and access management firm, launched an inquiry after the Lapsus$ hacking group posted screenshots on their Telegram channel that the hackers claimed were taken after obtaining access to "Okta.com Superuser/Admin and various other systems." The screenshots that Lapsus$ provided included time stamps consistent with the January 16-21 timeframe provided by Okta. The level of access to Okta claimed by Lapsus$ included the ability to view Okta customer tenant user information and perform administrative functions such as password resets. This ‘superuser' access over an Okta customer’s tenant is believed to only be available to Okta when a customer specifically grants them “Support access” for troubleshooting purposes.
On Tuesday, 22 March 2022, Okta confirmed a security incident that took place between January 16-21, 2022, where a threat actor had unauthorised access to a customer support engineer’s laptop.
Lapsus$ is a data extortion threat group, believed to be based in Brazil. The group has historically targeted large software companies, such as Nvidia, Samsung, and Microsoft, to steal source code and extort the victim companies. If the ransom is not paid, Lapsus$ begins leaking proprietary information to the public.
Recommendation #1: Consider Disabling Okta Support Access
Out of an abundance of caution, Arctic Wolf recommends disabling Okta Support Access until additional details are released by Okta. Okta Support Access gives Okta Support administrator access, allowing them to sign into your organisation. Okta Support Access grants administrator access to the Administrator Dashboard for 8 hours and can be extended for additional 24-hour increments. Although it is unknown which Okta resources the threat actors had access to, it is plausible this resource may have been used.
Through the Admin Console settings, set the option Okta Support Access to Disabled if currently active.
Okta Support Access reference: https://help.okta.com/oie/en-us/Content/Topics/Settings/settings-support-access.htm
Note: Only the Super Administrator role can grant access to Okta Support.
Recommendation #2: Review Okta Events to Identify “Impersonation” Events.
When Okta Support Access is granted, it takes the form of an “impersonation” event. Arctic Wolf strongly recommends reviewing events from your Okta portal during the month of January to identify impersonation-generated events. Delve into “Impersonation Grant Extended” events that exceed more than an expected timeframe, as this may indicate malicious activity. We also recommend determining if these impersonation events were authorised by your organisation’s Okta administrator.
Okta administrators can use the following search in the Okta Admin Console to identify these events:
Okta > Reports > System Log > Search for eventType eq "user.session.impersonation.initiate"
Recommendation #3: Audit all Okta High Privileged Users to Identify any Inactive or Newly Created Accounts
Review all high privileged Okta accounts within your organisation that were created during January 2022 or are currently inactive. Remove inactive accounts or accounts that were not created with authorisation.
Recommendation #4: Consider Resetting Okta Credentials for all Users That Have Changed Their Password During January 2022
Based on the system time in the Lapsus$ screenshots, it is possible the group had access to Okta systems since at least January 2022. Furthermore, the screenshots showed Lapsus$ allegedly having the capability to reset user passwords. Arctic Wolf recommends resetting Okta credentials for users that have changed their password during January 2022 as a strong precaution.
1. Official Okta Statement:
2. Granting Access to Okta Support:
3. Blog Summarising Details of Alleged Okta Compromise: