Lapsus$ Ransomware Continues Its Attack: OKTA Is Its Latest Victim

According to official statement from Okta, the authentication services company is investigating a breach to their systems, after the ransomware group, Lapsus$ published a message in their official Telegram group, claiming they have breached the company but “didn’t steal/access any Okta database”. The target of the attack, according to the group, wasn’t Okta but its customers. 

Experts Comments

March 23, 2022
Setu Kulkarni
Business Strategy, Product Management, M&A, Podcast Host
Venafi

More often than not organizations do not spend enough time thinking through their authorization implementation. When you think about the digital chain of custody, its important to think about the end to end need for both authentication and authorization from app to endpoint to data. These incidents are yet another demonstration of the fact that once bad actors get in, lateral movement is relatively easy. Since human identities are involved here, there will be a lot of attention on these

.....Read More

More often than not organizations do not spend enough time thinking through their authorization implementation. When you think about the digital chain of custody, its important to think about the end to end need for both authentication and authorization from app to endpoint to data. These incidents are yet another demonstration of the fact that once bad actors get in, lateral movement is relatively easy. Since human identities are involved here, there will be a lot of attention on these breaking stories – the question to ask ourselves is whether we are paying enough attention to such lapses when only machines are involved. Machine identities are a bigger attack surface than human identities and as such we need to keep an eye out for gaps in machine identity management along with human identity management.

  Read Less
March 23, 2022
Pratik Selva
Sr. Security Engineer
Venafi

In a few months’ time, Lapsus$ has widened its target base and increased its sophistication. More recently, Lapsus$ has expanded its targets beyond specific industry verticals or specific countries or regions. This makes it harder for analysts to predict which company is most at risk next. This is likely an intentional move to keep everyone guessing because these tactics have been serving the attackers well so far.  

Compromised machine identities lead to source code leaks. Attackers have

.....Read More

In a few months’ time, Lapsus$ has widened its target base and increased its sophistication. More recently, Lapsus$ has expanded its targets beyond specific industry verticals or specific countries or regions. This makes it harder for analysts to predict which company is most at risk next. This is likely an intentional move to keep everyone guessing because these tactics have been serving the attackers well so far.  

Compromised machine identities lead to source code leaks. Attackers have abused machine identities to establish hidden or concealed encrypted communication channels and gain privileged access to data and resources. Additionally, this and countless incidents highlight the need for a threat model where risks to source code needs to be evaluated as a serious security risk.

  Read Less
March 30, 2022
Callum Roxan
Head of Threat Intelligence
F-Secure

The high profile intrusions by LAPSUS$ show the challenges of securing data and systems in the modern IT architectures. The management of authentication and authorization is a complex challenge when it spans across multiple platforms, technologies, and through supplier relationships. The cyber security industry definitely has not reached maturity in the detection of these attacks. I would expect these types of attacks to continue by LAPSUS$ and that more actors may look to mimic them after

.....Read More

The high profile intrusions by LAPSUS$ show the challenges of securing data and systems in the modern IT architectures. The management of authentication and authorization is a complex challenge when it spans across multiple platforms, technologies, and through supplier relationships. The cyber security industry definitely has not reached maturity in the detection of these attacks. I would expect these types of attacks to continue by LAPSUS$ and that more actors may look to mimic them after seeing this success.

  Read Less
March 23, 2022
Kevin Bocek
VP Security Strategy & Threat Intelligence
Venafi

Attacks targeting software builds are becoming more common for several reasons. Firstly, hitting one target opens the door to multiple targets. Secondly, security and development teams are often not working in unison, leaving developer environments poorly defended. Yet perhaps even more worrying is that once a developer environment is compromised it is extremely difficult to remediate. That kind of access gives threat actors the keys to the kingdom, so it’s easy to maintain persistence. So,

.....Read More

Attacks targeting software builds are becoming more common for several reasons. Firstly, hitting one target opens the door to multiple targets. Secondly, security and development teams are often not working in unison, leaving developer environments poorly defended. Yet perhaps even more worrying is that once a developer environment is compromised it is extremely difficult to remediate. That kind of access gives threat actors the keys to the kingdom, so it’s easy to maintain persistence. So, it’s no surprise we keep seeing attacks of this nature.   

What makes this more disturbing is that so many businesses are dependent on one human identity provider – putting all their eggs in one basket. This means if the is one breach it totally opens the kimono putting multiple businesses at risk of future attacks. We have seen this with previously with the subsequent SolarWinds attacks which breached Office 365 – the ripple just keeps spreading. 

Looking at Lapsus$ specifically, they have a history of abusing machine identities and using their understanding of developer environments to their advantage. This puts the very system of trust that enables machines to communicate and software to run into jeopardy. As these types of attack become more common, it’s vital that approaches to securing build pipelines adapt. We can’t have development teams that work with no involvement from security, equally we cannot expect security to understand the intricacies of dev environments. We need a new breed of security developer that can bridge the gap and enable security at speed.

  Read Less
March 23, 2022
Keith Neilson
Technical Evangelist
CloudSphere

While ransomware investigations remain ongoing, with extortion groups targeting high-profile organizations like Microsoft and Okta, businesses are right to remain on high alert. Malicious actors like Lapsus$ are finding unique ways to avoid deploying true ransomware by instead infiltrating systems, stealing data and in turn, leveraging that data to blackmail their victims. Given this attack tactic, businesses across all industries should prioritize managing access control through cyber asset

.....Read More

While ransomware investigations remain ongoing, with extortion groups targeting high-profile organizations like Microsoft and Okta, businesses are right to remain on high alert. Malicious actors like Lapsus$ are finding unique ways to avoid deploying true ransomware by instead infiltrating systems, stealing data and in turn, leveraging that data to blackmail their victims. Given this attack tactic, businesses across all industries should prioritize managing access control through cyber asset management. When companies leverage a cyber asset management strategy, they not only gain comprehensive visibility of all cyber assets in the attack surface, but also have the ability to establish and enforce security guardrails to detect potential risks in real-time.

  Read Less
March 23, 2022
Jonathan Knudsen
Senior Security Strategist
Synopsys

Lapus$ has been busy lately, but its activities should not be surprising. The software attack surface for most organisations is large and porous, yielding an asymmetry of bountiful rewards for relatively low effort.

Organisations of all types must recognise that software risk is business risk and take appropriate action. Software is the critical infrastructure for the modern world. Software is at the heart of nearly everything — businesses, healthcare, power, water treatment, manufacturing,

.....Read More

Lapus$ has been busy lately, but its activities should not be surprising. The software attack surface for most organisations is large and porous, yielding an asymmetry of bountiful rewards for relatively low effort.

Organisations of all types must recognise that software risk is business risk and take appropriate action. Software is the critical infrastructure for the modern world. Software is at the heart of nearly everything — businesses, healthcare, power, water treatment, manufacturing, transportation, etc. Consequently, the abuse of software can help criminals gain wealth, or help nation-states gain geopolitical advantage. 

Managing software risk means including security at every stage of the software supply chain, everything from a concept through to the people or systems that use an application. Furthermore, even with the best possible defences, some attacks will always be succesful. Incident response and business continuity plans and execution are just as important as defensive measures.

Based on the scope and frequency of attacks, Lapus$ appears to be a well-resourced organisation, likely backed by organised crime or a nation-state.

While software has brought transformative power to all industries, risk must be managed properly. Enterprises should take note of recent skullduggery and adjust their priorities and processes to drive software supply chain risk to tolerable levels.

 

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.