Select Page

Possible Okta Breach By Threat Actor

Okta has provided additional information on the timeline of the incident affecting their services.

In summary, the Okta service confirmed the breach by Lapsus$ group yesterday. As per Okta has confirmed ‘The Okta service is fully operational, and there are no corrective actions our customers need to take.

Okta has also concluded that a small percentage of customers – approximately 2.5 percent – have potentially been impacted and whose data may have been viewed or acted upon. Okta has identified those customers and are contacting them directly. If you are an Okta customer and were impacted, you would have received an email directly from Okta.

// What you should do  

Out of precaution, current Okta customers can follow the steps below to gather and analyze logs related to their Okta deployment. Default retention for Okta logs is 90 days, therefore storing these offline will allow for analysis as additional detail becomes available.

  • Collect and preserve all Okta logs, focus on the Okta System Log as it’s the main audit trail for Okta activities. Check https://developer.okta.com/docs/reference/api/system-log/ for more information.
  • Check for (privileged) accounts created around the time of the suspected breach – 21 January 2022 (Since as per the Twitter post by the Okta CEO, there is no evidence of ongoing malicious activity beyond the activity detected in January).
  • Search your audit log for suspicious activity focusing on your superuser/admin Okta accounts as they pose the largest risk.
  • If you outsource (parts) of your Okta deployment, check in with your vendor and make sure what 3rd party admin accounts are used and ask them for assistance.
  • Check if you currently have Okta support access enabled, you may consider disabling this feature for the time being. More information here: https://help.okta.com/oie/en-us/Content/Topics/Settings/settings-support-access.htm

// What Simplify Security MTR (Managed Threat Response) is doing

MTR is continuing to monitor our customer estates and will release updated broadcasts as information becomes available.

// References

https://www.okta.com/blog/2022/03/updated-okta-statement-on-lapsus/
https://sec.okta.com/articles/2022/03/official-okta-statement-lapsus-claims
https://github.com/OktaSecurityLabs/CheatSheets/blob/master/SecurityEvents.md