Okta Confirms Lapsus$ Attack, While Microsoft Investigates Breach Claim -- Redmondmag.com

Okta Confirms Lapsus$ Attack, While Microsoft Investigates Breach Claim

By Kurt Mackie
03/22/2022

Identity services provider Okta on Tuesday stated that its service wasn't breached by Lapsus$ attackers, although the account of a third-party support engineer working with Okta did get hacked back in January.

On Monday, the attack group Lapsus$, thought to be based in Brazil, posted screenshots demonstrating an Okta software breach, as reported by Reuters. The group has gained the limelight of late for also having exposed the code and credentials of Nvidia, Samsung and Ubisoft in recent attacks.

Microsoft is yet another supposed Lapsus$ victim, with a recent claim this week that Azure DevOps was hacked. The hack is said to have exposed source code for Bing and Cortana. Microsoft currently is investigating this claim, according to a Bleepingcomputer.com article.

The article noted that Microsoft assumes the exposure of source code when making its software, and designs its security so that it is not based on that code. Microsoft refers to this method as its "inner source" software development approach.

However, former Microsoft security employee Kevin Beaumont commented that there were "multiple code signing certs leaked, not just source code," in a March 22 Twitter post about the alleged Lapsus$ attack on Microsoft.

In a late-breaking announcement on Tuesday, Microsoft addressed the issue and stated that just a single account had been breached by the Lapsus$ attackers (in a long article about the group):

No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity.

In Okta's case, the Lapsus$ attackers had access to the support engineer's laptop for five days, "between January 16-21, 2022," according to an unnamed forensics firm that Okta hired to investigate the incident.

The support engineer had access to "limited data," such as "Jira tickets and lists of users," as shown in the screenshots published by the attack group. Okta further claimed that the support engineer could reset passwords and multifactor authentication, but lacked the ability to access those passwords.

Okta added that "there are no corrective actions that need to be taken by our customers" and it is currently "contacting those customers that may have been impacted."

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.