Okta Latest Target of Hacker Group Lapsus$

Cybercrime

Digital authentication company Okta Inc. said it could have been affected by a security breach carried out by the hacker group Lapsus$.

The breach, reported on Okta’s website Tuesday (March 22), is part of larger campaign by Lapsus$ that has also targeted Samsung, Ubisoft, Nvidia and — more recently — Microsoft.

Read more: Samsung Source Code, Corporate Data Stolen in Breach

Okta said the hack may have compromised hundreds of customers, with the cybercriminals posting what were apparently internal screenshots from within the company’s network.

Writing on the company blog, Chief Security Officer David Bradbury said the “maximum potential impact” of the breach was 366 customers whose information was accessed by an outside contractor, Sitel. One of Sitel’s engineers had a laptop hijacked by Lapsus$ using RDP (remote desktop protocol).

“The scenario here is analogous to walking away from your computer at a coffee shop, whereby a stranger has (virtually in this case) sat down at your machine and is using the mouse and keyboard,” Bradbury said.

“So while the attacker never gained access to the Okta service via account takeover, a machine that was logged into Okta was compromised and they were able to obtain screenshots and control the machine through the RDP session.”

Bradbury said that 366 breached customers is the “worst case scenario,” and that the hackers wouldn’t have had “god-like access” to Otka’s systems once they were inside.

“This is an application built with least privilege in mind to ensure that support engineers are granted only the specific access they require to perform their roles,” Bradbury wrote. “They are unable to create or delete users. They cannot download customer databases. They cannot access our source code repositories.”

Learn more: Microsoft: Lapsus$ Hackers Pilfered Source Code

Meanwhile, Microsoft reported late Tuesday (March 22) that Lapsus$ got past its system to pilfer the source code for its Bing search engine and Cortana voice assistant.

The company said the Microsoft Threat Intelligence Center (MSTIC), Detection and Response Team (DART), and Microsoft 365 Defender Threat Intelligence Team have been on the trail of the hacking group for several weeks.

“Our investigation has found a single account had been compromised, granting limited access,” Microsoft said. “Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity. Microsoft does not rely on the secrecy of code as a security measure, and viewing source code does not lead to elevation of risk.”