March 24, 2022:
Between January 16-21, 2022, an attacker from LAPSUS$ (a digital extortion group) had access to the laptop of an Okta Customer Support Engineer who was working for an Okta third-party provider. Support Engineers have limited access/permissions, including:
- Access to Jira tickets.
- Access to Okta user lists.
- Can facilitate the resetting of passwords and multi-factor authentication factors for users, but are unable to obtain those passwords.
- Cannot create or delete users.
- Cannot download customer databases.
Resources
- Okta, “Updated Okta Statement on LAPSUS$”
- Bitsight Blog, “Okta Cyber Attack: Another Major Supply Chain Incident”
What You Can Do
Determine If You’re Affected
- Work with Okta to determine if your organization was one of the estimated 2.5% of Okta users accessed by LAPSUS$.
- Search your Okta logs and applications using Okta for unusual activity, such as user impersonation, password resets, and multi-factor authentication changes.
- Though the critical time frame that the attacker had access to Okta was between January 16th-21st, we recommend extending the search beyond the 21st and searching for other signs of intrusion to determine if the attackers were able to further penetrate and persist in your environment.
Search Across Your Portfolio
Third Parties
Identify which organizations in your third-party ecosystem may have been affected.
- Ensure the appropriate portfolio option is selected from the Context Switcher dropdown.
- Select “Okta, Inc.” from the Service Provider filter to narrow your search.
- Move these companies for analysis into a new folder for ease of access.
Fourth Parties
Additionally, refer to the following instructions to see potentially impacted providers if you are using Bitsight for 4th Party:
- Select your folder containing your potentially impacted third parties from the Context Switcher dropdown.
- Enter “Okta” in the top-right search bar.
This data can be exported (.csv) using the Export button at the top-right of the service provider details window.
Collaborate With Your Third Parties
Contact those organizations to confirm their use of Okta or use the Enable Access Program. Determine what steps they're taking to confirm or refute that they've been affected and ask that they keep you informed on the state of their investigation.
Feedback
0 comments
Please sign in to leave a comment.