• Wed. Apr 17th, 2024

Okta says attacker accessed a mechanic’s laptop for five days


Mar 22, 2022
Hardware Software 1Hardware Software 1

Missed a session at the Data Summit? View on demand here.

Okta’s chief security officer David Bradbury said in a post Tuesday that “the Okta service has not been compromised and remains fully operational.”

“Our customers do not have to take corrective action,” Bradbury said.

However, according to Bradbury, in January an attacker had access to the account of a customer service representative who worked for a third-party provider for five days. The third-party provider has not been identified.

“There was a five-day period between January 16 and 21, 2022, during which an attacker had access to a support agent’s laptop. This is consistent with the screenshots we became aware of yesterday,” Bradbury said.

Bradbury referenced screenshots posted to Telegram by hacker group Lapsus$ showing that what the group said was “access to Okta.com Superuser/Admin and several other systems”.

The potential breach by a customer of the main identity and access management provider raised questions about the scope and seriousness of the potential breach.

‘Limited’ impact

In the post Tuesday, Bradbury said the “potential impact on Okta customers is limited to the access that support technicians have.”

These technicians “cannot create or delete users, or download customer databases. Support technicians do have access to limited data — for example, Jira tickets and user lists — that were seen in the screenshots,” he said. Facilitate MFA factors for users, but cannot obtain those passwords.”

Okta is actively pursuing our investigation, including identifying and contacting the customers who may be affected, Bradbury said.

From the message:

In January 2022, Okta discovered an unsuccessful attempt to compromise the account of a customer service representative who worked for a third-party provider. As part of our regular procedures, we notified the provider of the situation, while simultaneously terminating the user’s active Okta sessions and suspending the person’s account. Following those actions, we shared relevant information (including suspicious IP addresses) to supplement their investigation, which was supported by a third-party forensics firm.

After completing the investigation by the service provider, we received a report from the forensic office this week. The report highlighted that between January 16 and January 21, 2022, there was a five-day period in which an attacker had access to a support engineer’s laptop.

Okta’s stock price fell $5.49, or about 3.2%, as of mid-afternoon ET on Tuesday. An analyst at Truist, Joel Fishbein, called the alleged breach “concerning” amid downgrading his rating on Okta.

Lapsus$ has indicated that it does not have access to Okta itself. “Our focus was ONLY on okta customers,” the group said in its Telegram message.

Lapsus$ is believed to be active in South America. In the past month, vendors including Nvidia and Samsung Electronics have confirmed the threat actor’s data theft. For example, on March 1, Nvidia said that “we are aware that the threat actor took employee credentials and certain Nvidia proprietary information from our systems and started leaking it online.”

Stolen Nvidia data allegedly includes graphics card designs and source code for DLSS, an AI rendering system. Meanwhile, Lapsus$ on Monday claimed to have posted the Microsoft source code for Bing, Bing Maps, and Cortana. Microsoft said it is aware of the claims and is investigating them.

Experts have said Lapsus$’s motives remain unclear, given the lack of past financial demands.

VentureBeat’s mission is to be a digital city square for tech decision makers to learn about transformative business technology and transactions. Learn more

This post Okta says attacker accessed a mechanic’s laptop for five days

was original published at “https://venturebeat.com/2022/03/22/okta-says-attacker-accessed-engineers-laptop-for-five-days/”

By admin

Leave a Reply

Your email address will not be published. Required fields are marked *