On Monday, March 21, the Lapsus$ digital extortion gang published a series of posts in its Telegram channel. To start, they posted what they claim to be extensive source code from Microsoft’s Bing Search Engine, Bing Maps and Cortana virtual assistant software. A potential breach as big as security-conscious Microsoft is significant in itself, but Lapsus$ continued by posting screenshots of them apparently in control of an Okta administrative/”super user” account.

Okta is an identity management platform used by thousands of large organizations who strive to make it easy and secure for their employees to log in to multiple services without managing several passwords. When attackers like Lapsus$ gain access to administrative accounts like they claim to have with Okta, they acquire the ability to modify customers’ accounts. They’ll use system privileges to reset target account passwords, change email addresses linked to victim accounts, and just generally take control – and when control is taken away from an identity platform like Okta, the repercussions can be extreme.

Lapsus$ has wreaked havoc since its emergence in December. They’ve stolen source code and other valuable data from companies like Nvidia, Samsung and Ubisoft in an attempt to leak the information in extortion attempts. Researchers found that the attackers used phishing attacks to compromise their victims. It wasn’t clear prior how an unknown and seemingly amateur group has pulled off such monumental data heists to such prominent companies.

“In late January 2022, Okta detected an attempt to compromise the account of a third-party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor,” Okta CEO Todd McKinnnon said in a statement. “We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.”

In response to the Microsoft attack, a spokesperson said the company is “aware of the claims and investigating.”

It is currently not known how much access Lapsus$ had within Okta or its unnamed “subprocessor.” Dan Tentler, a founder of the attack simulation and remediation firm Phobos Group, says the screenshots suggest Lapsus$ compromised the access of an Okta site reliability engineer, a role that would potentially have extensive system privileges as part of infrastructure maintenance and improvement work.

“All I have to go on are these screenshots, but there is a nonzero possibility of this being a SolarWinds 2.0,” Tentler says, referencing last year’s massive supply chain attack. “It is indeed quite a big deal.”

Independent security researcher Bill Demirkapi puts it event more bluntly: “This is really, really bad.”

Demirkapi points out that even the mere existence of a “super user” account created exposure. An attacker such as Okta, who has strategically taken over a device when such as account is already logged in, or who has compromised a VPN connection to that device can impersonate the legitimate user of the admin account.

“The idea is that the access controls to get to that Administrative panel would be very restrictive” for a service like Okta, Demirkapi says. “The problem here is that it appears like Lapsus$ directly compromised an employee’s machine, so even with those access controls they can just piggyback on the employee’s access.”

On Tuesday, the 22nd, companies that were even incidentally implicated in this situation began distancing themselves from Okta. Cloudflare, an internet infrastructure company, investigated overnight and said it hadn’t been compromised as a results of the incident. “Thankfully, we have multiple layers of security beyond Okta and would never consider them to be a standalone option,” Cloudflare CEO Matthew Prince wrote on Twitter. He later added, “Okta is one layer of security. Given they may have an issue we’re evaluating alternatives for that layer.”

There are still questions that remain about Lapsus$ itself and their motivations. Researchers believe that the group is a loose, disorganized group based in South America that is likely still getting their bearings. But the scale and scope of what the organization has been able to compromise so far raises a chilling range of possibilities. Either Lapsus$ is more sophisticated than security researchers believe, or some of the world’s most critical companies are even more fragile than previously thought.

Story via WIRED