Okta, a massively popular company which provides identity and access management (IAM) services to clients worldwide, was recently targeted by threat actor Lapsus$.
The compromise of Okta and other providers of IAM services is highly sensitive and potentially far-reaching as Okta’s IAM services alone allow approximately 15,000 companies to securely log into multiple services via Single Sign-On (SSO). This method allows users to securely authenticate multiple applications using one single set of credentials as opposed to unique ones for each individual service.
Lapsus$ does not appear to have a specific industry vertical it targets as public networks within European and South American organizations have also been compromised. The group has publicly boasted about obtaining stolen source code from Microsoft relating to Bing and Cortana as well.
The timeline of Okta’s breach events is under scrutiny as the threat actor disputes the official statements provided by Okta. However, it is understood that the breach occurred at some time within the last three to six months. This information is particularly concerning as a client of Okta, such as FedEx or Cloudflare, could invariably impact numerous users per compromised Okta client account.
Okta acknowledged the cyberattack after Lapsus$ used their Telegram channel to release screenshots of compromised credentials. According to Okta, the breach was conducted through the compromise of an individual workstation of a subcontractor who had access to the Okta network. This remote desktop was then leveraged to take the screenshots.
Within those screenshots, Lapsus$ shows the credentials it had gained access to, which rose to the level of administrator.
If true, that depth of compromise could be extremely devastating to end-users at companies using Okta as their SSO solution as the risk of having privileged access available through a third party creates a significant opportunity for exploitation.
To reduce the impact of this type of attack, users and network administrators are strongly urged to implement the following security measures immediately:
BinaryLab’s ethos of enumerating, evaluating, and understanding the threat surface of an individual network can be used for such large-scale enterprises.
If you have any questions about the information above, please contact your E. Cohen advisor. For a cybersecurity assessment or more information, contact our subsidiary, BinaryLab, at 301-337-3131.
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-advertisement | 1 year | Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category . |
cookielawinfo-checkbox-analytics | 1 year | Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category . |
cookielawinfo-checkbox-functional | 1 year | The cookie is set by the GDPR Cookie Consent plugin to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 1 year | Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category . |
cookielawinfo-checkbox-others | 1 year | Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Others". |
cookielawinfo-checkbox-performance | 1 year | Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Performance". |
ep201 | 30 minutes | This cookie is set by Wufoo for load balancing, site traffic and preventing site abuse. |
PHPSESSID | session | This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed. |
viewed_cookie_policy | 1 year | The cookie is set by the GDPR Cookie Consent plugin to store whether or not the user has consented to the use of cookies. It does not store any personal data. |
Cookie | Duration | Description |
---|---|---|
__cf_bm | 30 minutes | This cookie, set by Cloudflare, is used to support Cloudflare Bot Management. |
Cookie | Duration | Description |
---|---|---|
_ga | 2 years | The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors. |
_ga_4JQW09H0BS | 2 years | This cookie is installed by Google Analytics. |
_gat_gtag_UA_539141_3 | 1 minute | Set by Google to distinguish users. |
_gid | 1 day | Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously. |
CONSENT | 2 years | YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data. |
vuid | 2 years | Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website. |
Cookie | Duration | Description |
---|---|---|
VISITOR_INFO1_LIVE | 5 months 27 days | A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface. |
YSC | session | YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages. |
yt-remote-connected-devices | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt-remote-device-id | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |