Since the morning of March 22, a few publications were made regarding an attack by the Lapsus$ group on OKTA. The publications detailed the attackers’ intentions to gain information about OKTA’s customers. The Lapsus$ group is relatively new and is known for its special attacking method, in which it pays insiders in big companies in exchange for credentials and VPN access to these companies. Once the relevant credentials are received, Lapsus$ essentially has full and legitimate control over the network as well as access to the customers. It is extremely important to emphasize that the group manages a telegram channel, as well as private chats on telegram, to offer and receive candidates to use in their attacks. According to OKTA officials, this attack was conducted in January.
At this point, we don’t see a connection to state-sponsored support for this attack group. However, we cannot be 100% certain at this point that there isn’t a state-sponsored component.
The purpose of this document is to present CYE’s analysis of the abovementioned attack and provide you with recommendations for strengthening your networks accordingly.
CYE’s CTI team continues to monitor and analyze the attacking group as well as the incident in OKTA. The extent of the incident is still undefined and it is still possible that this incident is still not completely contained. In the meantime, companies should prepare for the worst outcome possible. In addition, our DFIR teams are on high alert and ready to engage and support wherever necessary 24/7. For your use, we are attaching our recommendations on readiness & procedures, Narrowing Attack Surface, Monitoring, and IdP Replacement.
Readiness & procedures
- Since the extent of the breach is unknown, we advise preparing for the worst and having a playbook ready for such an event. Refresh the managerial awareness for incidents like this;the dangers of an inside job and its implications.
- Conduct a proactive CTI effort for early warning and detection of campaigns against the company and its subsidiaries to help accurately assess your cyber risk and potential incidents.
- Make the necessary preparations to conduct an IR operation including Threat Hunting, Crisis Management, Identification, Containment, and Eradication procedures to reduce the risk of cyberattacks in their preliminary stages. Also, be ready for threat hunting activities in the company’s environment if indeed you are breached.
The approach for handling this delicate situation should be divided into three efforts: Narrowing attack surfaces, monitoring, and IdP replacement plan. The latter will be put to use only if the Okta is completely compromised and an IdP.
Narrowing Attack Surface
- Consider changing users and API passwords, as well as the Okta administrator users. In case Lapsus$ access to Okta no longer exists, their previously owned credentials will no longer be valid after the password change.
- Identify top critical assets which are using Okta.
- Consider placing a bastion host in front of critical assets. Access to it will be performed with local users with MFA, or any other authentication method other than Okta. Additionally, access to the critical systems will have to be restricted to the bastion host.
- If possible, enable IP whitelisting on any apps that support it, allowing only incoming connections from your network or known IPs (for internal apps, SaaS etc.)
- If your Remote-Access method is using Okta, consider changing it. Make sure MFA requirement is enabled.
- Review Okta Administrator panel logs and identify suspicious logins. Create an alert for any login and examine it.
- Create an alert for suspicious application logins e.g., IP geolocation, unusual source host, etc.
- Create an alert for abnormal API calls e.g., quantity, behavior, request source, etc.
Map all apps using OKTA. Keep in mind the following:
- External interfaces
- SaaS services – consider disabling SSO with OKTA and move to work with local users for sensitive interfaces.
Prepare a plan for migrating to a different IdP. Review vendors, understand what they offer, how the integrations are supposed to work, etc.