Source: https://cobaltstrike.net/2022/03/23/okta-lapsus-tried-to-hack-a-support-engineers-laptop-in-january/
Approximately 375 customers (2.5%) of Okta allegedly suffered from a cyberattack by the extortionate group Lapsus$. A representative of Okta confirmed that in January of this year hackers tried to hack the laptop of one of the support engineers.
As the results of the investigation of the cyber incident showed, the attackers had access to the laptop in the period from January 16 to January 21, 2022, during which they could access the Okta customer support panel and the company’s Slack server.
Screenshots previously posted by Lapsus$ show the email address of an Okta employee who apparently had “superuser” privileges to compile a list of users, reset passwords, reset MFA, and access support requests.
“Support engineers have access to limited data, for example, Jira tickets and user lists that were visible in the screenshots. Support engineers can also facilitate password reset and multi-factor authentication for users, but they cannot get these passwords,” Okta explained.
The screenshots of Lapsus$ also have the email address of a Cloudflare employee, whose password was going to be reset by hackers who hacked the Okta employee account. According to Cloudflare experts, this company’s email account was blocked approximately 90 minutes after its Security Incident Response Team (SIRT) received the first notification of a potential problem.
Cloudflare noted that Okta services are used internally to identify employees integrated into the authentication stack, and its customers have nothing to worry about, “unless they use Okta themselves.” In order to eliminate any possibility of unauthorized access to their employee accounts, Cloudflare has checked all password resets or MFA changes since December 1, 2021.
In response to Okta’s statements, the Lapsus$ group shared its part of the story. According to the criminals, they compromised not the laptop of an Okta employee, but their thin client (a low-performance system that remotely connects to a virtual environment to perform tasks). Hackers dispute Okta’s claim that the hack was unsuccessful. According to them, they “logged into the superuser portal with the ability to reset the password and MFA of approximately 95% of customers.”