Ransomware group LAPSUS$ has claimed to have breached the internal systems of cloud-based authentication software provider Okta and has been targeting the data of its customers since January 21, 2022.
The breach was first flagged on Twitter by Bill Demirkapi, a senior security engineer at video conferencing company Zoom, at 8:15pm Pacific Time on Monday night.
According to the LAPSUS$ screenshots, taken from the secure messaging service Telegram and posted online by Demirkapi and others, the ransomware group said it did not target Okta’s databases, instead focusing on Okta customers. It also showed possible superuser access, and screenshots of Okta’s internal Jira and Slack instances.
An Okta spokesperson told Reuters that it was aware of the reports and would investigate further.
At 1:23am Pacific Time, Okta CEO Todd McKinnon responded on Twitter:
In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.
Cloudflare CEO Matthew Prince tweeted that while his company has not confirmed a compromise, it would be “resetting the Okta credentials of any employees who’ve changed their passwords in the last 4 months, out of abundance of caution” and that it would be “evaluating alternatives” to the authentication software.
LAPSUS$ is the same ransomware group that recently successfully breached both Samsung and Nvidia.
Jake Moore, global cyber security advisor at ESET, warned: “Okta’s customers, along with customers of companies who also rely on the technology, must now be extra vigilant and cautious of any suspicious activity on their accounts, especially from unsolicited emails.”
Copyright © 2022 IDG Communications, Inc.
