First Microsoft, then Okta: New ransomware gang posts details from every

JOHNNY-COME-LATELY —

If you happen to’ve not heard of Lapsus$, which you’d probably per likelihood additionally honest preserve now. It doubtlessly may even honest now not be the ultimate time.

Dan Goodin

Stock photo of ransom note with letters cut out of newspapers and magazines.

A relatively new entrant to the ransomware scene has made two startling claims in newest days by posting pictures that seem to inform proprietary details the neighborhood says it stole from Microsoft and Okta, a single signal-on supplier with 15,000 prospects.

The Lapsus$ neighborhood, which first appeared three months throughout the previous, talked about Monday night on its Telegram channel that it gained privileged access to some Okta’s proprietary details. The relate, if good, shall be excessive as a result of Okta permits employees to utilize a single delusion to log in to a number of providers belonging to their employer.

Gaining “Superuser” state of affairs

“BEFORE PEOPLE START ASKING: WE DID NOT ACCESS/STEAL ANY DATABASES FROM OKTA,” the Telegram submit acknowledged. “Our degree of curiosity was ONLY on okta prospects.”

Okta co-founder and CEO Todd McKinnon talked about on Twitter that the options seems to be wish to be linked to a hack that occurred two months throughout the previous. He outlined:

In boring January 2022, Okta detected an attempt to compromise the parable of a third-social gathering buyer give a improve to engineer working for one among our subprocessors. The subject was investigated and contained by the subprocessor. We choose the screenshots shared on-line are related to this January match. Per our investigation to date, there might per likelihood be no longer without end any proof of ongoing malicious exercise earlier the exercise detected in January.

In boring January 2022, Okta detected an attempt to compromise the parable of a 3rd social gathering buyer give a improve to engineer working for one among our subprocessors. The subject was investigated and contained by the subprocessor. (1 of two)

— Todd McKinnon (@toddmckinnon) March 22, 2022

In a submit printed later, Okta Chief Safety Officer David Bradbury talked about there had been no breach of his agency’s service. The January compromise attempt referenced in McKinnon’s tweet was unsuccessful. Okta nonetheless retained a forensics company to evaluation and now not too lengthy throughout the previous purchased its findings.

“The characterize highlighted that there was a five-day window of time between January 16-21, 2022, the arrange apart an attacker had access to a give a improve to engineer’s pocket book laptop,” the Okta submit talked about. “Right here is in line with the screenshots that we was attentive to yesterday.”

The submit persevered:

The probably affect to Okta prospects is proscribed to the access that give a improve to engineers preserve. These engineers are unable to type or delete prospects or obtain buyer databases. Toughen engineers originate preserve access to restricted details—as an illustration, Jira tickets and lists of consumers—that had been seen throughout the screenshots. Toughen engineers are additionally able to facilitate the resetting of passwords and MFA elements for purchasers, however are unable to assassinate these passwords.

We’re actively persevering with our investigation, together with figuring out and contacting these prospects which is able to had been impacted. There is not such a factor as a affect to Auth0 prospects, and there might per likelihood be no longer without end any affect to HIPAA and FedRAMP prospects.

Lapsus$ promptly responded to the Okta submit by calling the claims “lies.”

“I am STILL unsure the association or not it’s [an] unsuccessful attempt?” the submit acknowledged. “Logged in to superuser portal being able to reset the Password and MFA of ~95% of consumers is no longer without end a success?”

The rebuttal added: “The probably affect to Okta prospects is NOT restricted, I am dazzling scoot resetting passwords and MFA would consequence in full compromise of many shoppers strategies.”

Lapsus$’s Monday night submit was accompanied by eight screenshots. One appeared as if it will inform somebody logged right into a “Superuser” dashboard belonging to Cloudflare, a voice-shipping neighborhood that makes use of Okta providers. Another picture confirmed what appeared as if it would be a password commerce for a Cloudflare employee.

Cloudflare founder and CEO Matthew Prince responded a number of hours later that Okta may even honest had been compromised however, in any match, “Okta is merely an identification supplier. Thankfully, now we preserve a number of layers of safety earlier Okta and would by no means protect in ideas them to be a standalone possibility.”

In a separate tweet, Prince talked about Cloudflare was resetting Okta credentials for personnel who modified their passwords throughout the earlier 4 months. “We now preserve confirmed no compromise,” he added. “Okta is one layer of safety. Given they will additionally honest preserve a query, we’re evaluating choices for that layer.”

We’re acutely aware that @Okta may even honest had been compromised. There is not such a factor as a proof that Cloudflare has been compromised. Okta is merely an identification supplier for Cloudflare. Thankfully, now we preserve a number of layers of safety earlier Okta, and would by no means protect in ideas them to be a standalone possibility.

— Matthew Prince 🌥 (@eastdakota) March 22, 2022


We’re resetting the @Okta credentials of any employees who’ve modified their passwords throughout the remaining 4 months, out of abundance of warning. We’ve confirmed no compromise. Okta is one layer of safety. Given they will additionally honest preserve a query we’re evaluating choices for that layer.

— Matthew Prince 🌥 (@eastdakota) March 22, 2022

Cloudflare has since printed this delusion of its investigation into the breach.

Different pictures throughout the Lapsus$ submit inform somebody logged in to what seems to be wish to be an inside Okta machine, an inventory of Okta’s Slack channels, and a few of the apps available to Okta employees.

Okta providers are present to be used by the US govt beneath a program is known as FedRAMP, which certifies that cloud-basically based mostly providers meet minimal safety necessities.

“For a service that powers authentication strategies to most of the most practical companies (and FEDRAMP present), I mediate these safety features are dazzling abominable,” gang individuals wrote throughout the Monday Telegram submit.

Microsoft

Over the weekend, the similar Telegram channel posted pictures to offer a improve to a relate Lapsus$ made that it breached Microsoft strategies. The Telegram submit was later eradicated—however now not earlier to safety researcher Dominic Alvieri documented the hack on Twitter.

On Monday—a day after the neighborhood posted after which deleted the pictures—Lapsus$ posted a BitTorrent hyperlink to a file archive that purportedly contained proprietary present code for Bing, Bing Maps, and Cortana, all of which might be Microsoft-owned providers. Bleeping Laptop, citing safety researchers, reported that the contents of the obtain had been 37GB in measurement and appeared as if it would be righteous Microsoft present code.

Microsoft on Tuesday talked about handiest: “We’re attentive to the claims and investigating.”

Lapsus$ is a chance actor that seems to be wish to attribute out of South The US or probably Portugal, researchers at safety company Check Degree talked about. Now not like most ransomware teams, the company talked about, Lapsus$ would not encrypt the options of its victims. Instead, it threatens to originate the options publicly till the sufferer pays a hefty ransom. The neighborhood, which first appeared in December, has claimed to take care of effectively hacked Nvidia, Samsung, Ubisoft, and others.

“Diminutive print of how the neighborhood managed to breach these targets has by no means completely been outlined,” Check Degree researchers wrote in a Tuesday morning submit. “If good, the breach at Okta may even honest level out how Lapsus$ has been able to pause its newest a success scoot.”