According to official statement from Okta, the authentication services company is investigating a breach to their systems, after the ransomware group, Lapsus$ published a message in their official Telegram group, claiming they have breached the company but “didn’t steal/access any Okta database”. The target of the attack, according to the group, wasn’t Okta but its customers.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
The high profile intrusions by LAPSUS$ show the challenges of securing data and systems in the modern IT architectures. The management of authentication and authorization is a complex challenge when it spans across multiple platforms, technologies, and through supplier relationships. The cyber security industry definitely has not reached maturity in the detection of these attacks. I would expect these types of attacks to continue by LAPSUS$ and that more actors may look to mimic them after seeing this success.
More often than not organizations do not spend enough time thinking through their authorization implementation. When you think about the digital chain of custody, its important to think about the end to end need for both authentication and authorization from app to endpoint to data. These incidents are yet another demonstration of the fact that once bad actors get in, lateral movement is relatively easy. Since human identities are involved here, there will be a lot of attention on these breaking stories – the question to ask ourselves is whether we are paying enough attention to such lapses when only machines are involved. Machine identities are a bigger attack surface than human identities and as such we need to keep an eye out for gaps in machine identity management along with human identity management.
In a few months’ time, Lapsus$ has widened its target base and increased its sophistication. More recently, Lapsus$ has expanded its targets beyond specific industry verticals or specific countries or regions. This makes it harder for analysts to predict which company is most at risk next. This is likely an intentional move to keep everyone guessing because these tactics have been serving the attackers well so far.
Compromised machine identities lead to source code leaks. Attackers have abused machine identities to establish hidden or concealed encrypted communication channels and gain privileged access to data and resources. Additionally, this and countless incidents highlight the need for a threat model where risks to source code needs to be evaluated as a serious security risk.
Attacks targeting software builds are becoming more common for several reasons. Firstly, hitting one target opens the door to multiple targets. Secondly, security and development teams are often not working in unison, leaving developer environments poorly defended. Yet perhaps even more worrying is that once a developer environment is compromised it is extremely difficult to remediate. That kind of access gives threat actors the keys to the kingdom, so it’s easy to maintain persistence. So, it’s no surprise we keep seeing attacks of this nature.
What makes this more disturbing is that so many businesses are dependent on one human identity provider – putting all their eggs in one basket. This means if the is one breach it totally opens the kimono putting multiple businesses at risk of future attacks. We have seen this with previously with the subsequent SolarWinds attacks which breached Office 365 – the ripple just keeps spreading.
Looking at Lapsus$ specifically, they have a history of abusing machine identities and using their understanding of developer environments to their advantage. This puts the very system of trust that enables machines to communicate and software to run into jeopardy. As these types of attack become more common, it’s vital that approaches to securing build pipelines adapt. We can’t have development teams that work with no involvement from security, equally we cannot expect security to understand the intricacies of dev environments. We need a new breed of security developer that can bridge the gap and enable security at speed.
While ransomware investigations remain ongoing, with extortion groups targeting high-profile organizations like Microsoft and Okta, businesses are right to remain on high alert. Malicious actors like Lapsus$ are finding unique ways to avoid deploying true ransomware by instead infiltrating systems, stealing data and in turn, leveraging that data to blackmail their victims. Given this attack tactic, businesses across all industries should prioritize managing access control through cyber asset management. When companies leverage a cyber asset management strategy, they not only gain comprehensive visibility of all cyber assets in the attack surface, but also have the ability to establish and enforce security guardrails to detect potential risks in real-time.