You might recall that threat actor group Lapsus$ posted screenshots in their Telegram channel of what they claim to be Okta customer data. Okta is a leading provider of authentication services and Identity and Access Management (IAM) solutions. They’re used by organizations worldwide as a single sign-on (SSO) provider, allowing employees to securely access a company’s internal systems, such as email accounts, calendars, applications and more. Okta has responded with their version of events as well.
Lapsus$ has previously claimed responsibility for the leaked proprietary data of companies such as NVIDIA and Samsung. Unlike ransomware groups, Lapsus$ does not encrypt data once they gain access. Instead, they exfiltrate the data and threaten to publish what they’ve gathered if demands are not met. The group began by focusing on Latin American victims and some security researchers suspect the group is based in Latin America.
In the interest of helping customers of Okta since it is said that over 300 customers might be affected by this, I reached out to managed security provider Nuspire and JR Cunningham, CSO at Nuspire was kind enough to provide these recommendations:
- Review your Okta audit logs for suspicious activity focused on superuser/admin Okta accounts.
- Rotate passwords for high-privileged accounts.
- Check for privileged accounts created around the time of the suspected breach. (January 21, 2022).
Hopefully that helps companies take a security posture that help to protect them from being the next victim of Lapsus$.