LAPSUS$ ransomware group claims Okta breach | #malware | #ransomware | #hacking | #aihp

Ransomware group LAPSUS$ has claimed to have breached the internal systems of cloud-based authentication software provider Okta.

The breach was first flagged on Twitter by Bill Demirkapi, a senior security engineer at video conferencing company Zoom, at 8:15pm Pacific Time on Monday night.

According to the LAPSUS$ screenshots, taken from the secure messaging service Telegram and posted online by Demirkapi and others, the ransomware group said it did not target Okta’s databases, instead focusing on Okta customers. It also showed possible superuser access, and screenshots of Okta’s internal Jira and Slack instances.

At 1:23am Pacific Time on Tuesday, Okta CEO Todd McKinnon responded on Twitter:

In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.

Despite earlier claims that it had not been breached, Okta then issued another statement later that day asserting that “a small percentage of customers — approximately 2.5% — have potentially been impacted and whose data may have been viewed or acted upon,” but that “the Okta service is fully operational, and there are no corrective actions our customers need to take.”

In that statement, chief security officer David Bradbury explained that “there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop,” and therefore any breach was limited to the access level a support engineer typically has, including Jira tickets and lists of users, but not the ability to create or delete users, or download customer databases.