The recent Okta security incident made us think about the dangerous combination of two equally cruel to exploit vectors – the 3rd party (or supply chain) along with the identity provider. This is a dangerous combination!
Identity and access management (IAM) is a cybersecurity framework with a predefined set of policies, processes, and tools for defining and executing individual network roles and access privileges to various cloud and on-premises apps.
An IAM solution or tool is crucial in connecting and integrating your business with different people and resources. It is a must-have solution (as a part of a greater plan) to prevent data breaches and maintain the integrity of your business data. Thus, the IAM market will likely rise from more than $20 billion by 2024.
The data hacking incident on IAM tools like Okta, NVIDIA, and Microsoft is alarming for businesses.
On March 22, a series of screenshots were published online on Telegram from a system used by one of Okta’s third-party customer support engineers. 2.5% or 366 of Okta’s customers got impacted by this incident.
Okta is a popular authentication service used by thousands of governments and organizations globally as a single sign-on provider. It enables employees to securely access the company’s internal network and resources like apps, calendars, and email accounts.
The Lapsus$ hackers’ group claimed that it had breached the identity management platform Okta by infiltrating one of its customers, Sitel, back in January. A report further revealed that LAPSUS$ used tools like Mimikatz to extract passwords to gain more access to Sitel’s systems.
The extortion hacking group has previously targeted customer support companies having weaker cybersecurity defenses. Microsoft, NVIDIA, and Roblox have also experienced similar data compromise of customer support agents’ accounts that led to access to their internal systems.
At first, Okta dismissed the news about the attack and associated it with an attempt by hackers in January to compromise a third-party support engineer’s account. But later, Okta has admitted that it made a mistake by not telling customers about the security breach in January.
Okta’s Chief Security Officer David Bradbury in a statement, said that:
“We concluded that a small percentage of customers, approximately 2.5%, have been impacted and whose data may have been viewed or acted upon.”
He further added; ”We have identified those customers and directly contacted them. If you are an Okta customer and have been impacted, we have already reached out directly via email.
We are sharing this interim update, consistent with our values of customer success, integrity, and transparency.”
Okta is facing a considerable amount of backlash and criticism from the security community for its poor handling of the compromise and the months-long delay in informing the customers.
A Timeline of What Happened in the Okta Attack?
After accepting the data breach incident, the Okta CISO wrote a blog on their website. This blog highlighted the events that led to the attack in chronological order. According to the blog, here’s what happened:
- On January 20th, 2022, a third-party customer support engineer working for Okta had their account compromised by Lapsus$.
- The Lapsus$ hacking group looked for information on Okta customers and not Okta directly.
- The hackers breached information from up to 366 Okta customers. Per Okta, the data accessible in this breach was limited. But it was worth mentioning that Lapsus$ denied this statement, claiming the ability to reset MFA factors and passwords.
- The incident was mitigated within a few hours of the initial compromise and remained no longer a security risk per Okta.
- On March 22, 2022, Lapsus$ leaked and posted screenshots of the compromise on Telegram.
Choose the Right Solution
Whether you are an Okta customer or not, we encourage you to take the following steps to protect your data and business:
- Review policies and procedures with any organizations involved within your supply chain.
- Review the logs in your Okta tenant from January to March 2022 and identify suspicious activities, including MFA and password resets.
- Use suitable DevOps tools.
- Enhance your security by using cloud providers or identity and access management platforms like Solvo.
Solvo automatically manages identity and access management for users and cloud assets, ensuring you’re always the least privileged.
Solvo has introduced the IAMagnifier feature that checks and views any unnecessary entities that can read your sensitive data.
This approach reduces the attack surface and potential blast radius.