First Microsoft, then Okta: New ransomware gang posts data from both

A relatively new entrant to the ransomware scene has made two startling claims in recent days by posting images that appear to show proprietary data the group says it stole from Microsoft and Okta, a single sign-on provider with 15,000 customers.

The Lapsus$ group, which first appeared three months ago, said Monday evening on its Telegram channel that it gained privileged access to some of Okta’s proprietary data. The claim, if true, could be serious because Okta allows employees to use a single account to log into multiple services belonging to their employer.

Gaining “Superuser” status

“BEFORE PEOPLE START ASKING: WE DID NOT ACCESS/STEAL ANY DATABASES FROM OKTA,” the Telegram post stated. “Our focus was ONLY on okta customers.”

Okta co-founder and CEO Todd McKinnon said on Twitter that the data appears to be linked to a hack that occurred two months ago. He explained:

In late January 2022, Okta detected an attempt to compromise the account of a third-party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.

In a post published later, Okta Chief Security Officer David Bradbury said there had been no breach of his company’s service. The January compromise attempt referenced in McKinnon’s tweet was unsuccessful. Okta nonetheless retained a forensics firm to investigate and recently received its findings.

“The report highlighted that there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop,” the Okta post said. “This is consistent with the screenshots that we became aware of yesterday.”

The post continued:

The potential impact to Okta customers is limited to the access that support engineers have. These engineers are unable to create or delete users or download customer databases. Support engineers do have access to limited data—for example, Jira tickets and lists of users—that were seen in the screenshots. Support engineers are also able to facilitate the resetting of passwords and MFA factors for users, but are unable to obtain those passwords.

We are actively continuing our investigation, including identifying and contacting those customers that may have been impacted. There is no impact to Auth0 customers, and there is no impact to HIPAA and FedRAMP customers.

Lapsus$ promptly responded to the Okta post by calling the claims therein “lies.”

“I’m STILL unsure how it’s [an] unsuccessful attempt?” the post stated. “Logged in to superuser portal with the ability to reset the Password and MFA of ~95% of clients isn’t successful?”

The rebuttal added: “The potential impact to Okta customers is NOT limited, I’m pretty certain resetting passwords and MFA would result in complete compromise of many clients systems.”

Lapsus$’s Monday evening post was accompanied by eight screenshots. One appeared to show someone logged into a “Superuser” dashboard belonging to Cloudflare, a content-delivery network that uses Okta services. Another image showed what appeared to be a password change for a Cloudflare employee.

Cloudflare founder and CEO Matthew Prince responded several hours later that Okta may have been compromised but, in any event, “Okta is merely an identity provider. Thankfully, we have multiple layers of security beyond Okta and would never consider them to be a standalone option.”

In a separate tweet, Prince said Cloudflare was resetting Okta credentials for employees who changed their passwords in the past four months. “We’ve confirmed no compromise,” he added. “Okta is one layer of security. Given they may have an issue, we’re evaluating alternatives for that layer.”

Cloudflare has since published this account of its investigation into the breach.

Other images in the Lapsus$ post show someone logged into what appears to be an internal Okta system, a list of Okta’s Slack channels, and some of the apps available to Okta employees.

Okta services are approved for use by the US government under a program known as FedRAMP, which certifies that cloud-based services meet minimum security requirements.

“For a service that powers authentication systems to many of the largest corporations (and FEDRAMP approved) I think these security measures are pretty poor,” gang members wrote in the Monday Telegram post.

Microsoft

Over the weekend, the same Telegram channel posted images to support a claim Lapsus$ made that it breached Microsoft systems. The Telegram post was later removed—but not before security researcher Dominic Alvieri documented the hack on Twitter.

On Monday—a day after the group posted and then deleted the image—Lapsus$ posted a BitTorrent link to a file archive that purportedly contained proprietary source code for Bing, Bing Maps, and Cortana, all of which are Microsoft-owned services. Bleeping Computer, citing security researchers, reported that the contents of the download were 37GB in size and appeared to be genuine Microsoft source code.

Microsoft on Tuesday said only: “We are aware of the claims and investigating.”

Lapsus$ is a threat actor that appears to operate out of South America, or possibly Portugal, researchers at security firm Checkpoint said. Unlike most ransomware groups, the firm said, Lapsus$ doesn’t encrypt the data of its victims. Instead, it threatens to release the data publicly unless the victim pays a hefty ransom. The group, which first appeared in December, has claimed to have successfully hacked Nvidia, Samsung, Ubisoft, and others.

“Details of how the group managed to breach these targets has never fully been explained,” Checkpoint researchers wrote in a Tuesday morning post. “If true, the breach at Okta may explain how Lapsus$ has been able to achieve its recent successful run.”