OKTA breached by Lapsus$ Ransomware Gang

*Last update March 23rd 2022 02:46 CET

Identity firm OKTA breached by Lapsus$ Ransomware Gang. Millions of users potentially compromised globally

What do we know by now?

According to official statement from Okta, the authentication services company is investigating a breach to their systems, after the Lapsus$ group published a message in their official telegram group, claiming they have breached the company but “didn’t steal/access any Okta database”. The target of the attack, according to the group, wasn’t Okta but its customers.

Source: Telegram

Potential impact of a disastrous magnitude, felt worldwide

Thousands of companies use Okta to secure and manage their identities. This means in practice that Okta manages vast amounts of users globally. Compromises of this magnitude can have a severe impact globally and create a chain reaction in enterprises in which the identities of their employees and contractors are potentially compromised.
A breach at Okta could lead to potentially devastating consequences which are still to be seen or exposed at this point.

Lapsus$ strikes again

Lapsus$ is a South American threat actor that has recently been linked to cyber-attacks on some high-profile targets. The cyber gang is known for extortion, threatening the release of sensitive information, if demands by its victims aren’t made. The group has boasted breaking into Nvidia, Samsung, Ubisoft and others.
Details of how the group managed to breach these targets has never fully been explained.
If true, the breach at Okta may explain how Lapsus$ has been able to achieve its recent successful run.

*In their official website, On March 22, Okta updated that they are confident in their conclusions that the Okta service has not been breached and there are no corrective actions that needs to be taken by their customers.

However we still recommend taking the following actions, as described in the following paragraphs.

What should you do to if you are using Okta to authenticate to Check Point Products?

Check Point Products (management console and remote access clients) can be accessed thorough Okta authentication.

While this breach is still being investigated we recommend Okta customers to review auditing and log-in activities done recently within Check Point products.

Management Consoles:

  • Infinity Portal (portal.checkpoint.com)
  • Click on global properties > Audit > select Login

    Infinity Portal logins example

  • CloudGuard Management Console: (secure.dome9.com)
  • Identity awareness login/logout logs and traffic logs with identity info can be reviewed on Smart Console

VPN / remote access products:

Harmony Connect – Customers can view user login events in Harmony Connect logs:

  • For internet access and Network-Level remote access:
    Review Log In events under Internet & Network Access > Traffic Logs
  • For Application Level access (clientless):
    System Login events under Application Access > Session Logs
    OKTA Breach

Check Point Products Help You to Protect Against Compromised Identities

Check Point offers various solutions to protect from compromised identities and detect compromised identities and suspicious identity behavior

  • Cloud Guard Intelligence – Continuously analyzes account activity across cloud services (GCP,AWS & Azure) detecting anomalies that may indicate compromised identities.
  • Cloud Guard Posture management provides a IAM Safety capability that enables an AWS IAM Dynamic Authorization solution, providing protection against malicious cloud control plane attacks and unintentional privileged user error.

The full extent of the cyber gang’s resources should become clear in the coming days, as well as the extent of this breach.