Microsoft and Okta’s breach by extortion-focused hacking group LAPSUS$ will have long-lasting and serious ramifications for businesses – an expert from cyber security firm CSS Assure has warned.

Technology giant Microsoft confirmed the group gained ‘limited access’ to its systems, while identity authentication service Okta – which connects any person with any application on any device, allowing IT departments to manage employees’ access to apps and devices – revealed that an attacker had access to a support engineer’s laptop for five days in January.

 

Doug Lucktaylor, head of information security at CSS Assure, said: “This breach has several long-lasting and serious ramifications for businesses, and also serves as a lesson in how to manage security in organisations.

“In this instance, the LAPSUS$ group was able to leverage a third-party contractor’s access to the customer support system. It is reported that the hackers had access to the account for a five-day window between 16 and 21 January.

“What is more concerning is the level of system access the compromised account had. The account reportedly had access to the ‘super-user’ portal with the ability to reset passwords and multi-factor authentication of about 95% of clients.

“This information raises several questions around the level of access and the timings of the access, along with the date of the subsequent disclosure.” Okta was reportedly aware of the compromise some time before choosing to publicly disclose the breach, stating that ‘the potential impact to customers’ was ‘limited’.

Doug added: “In our experience, it is vital to inform clients and customers of any potential breach your organisation experiences immediately. Given the access level disclosed and the potential ability to reset some 95% of clients’ passwords and multi-factor authentication details, this is not limited, as Okta said.

“Looking at the response times in more detail, many incident response plans have a documented notification period when there is a confirmed breach. There are also many regulatory requirements that require companies to report breaches in a timely fashion.

“It will be interesting to see what impact the late disclosure will have on the company.” The LAPSUS$ group has released further details on its telegram channel with a rebuttal to the details release by Okta.

Doug said: “It makes for a hard read for anyone who works in cyber security. It initially seems that the response from Okta was not only delayed but may not of captured the severity of the breach fully.

“There are still some details coming out of this which may some of the questions on the incident response and timelines. While Okta has ISO27001, 27017 and 27018 certifications, there appear to be some gaps in ensuring the identified controls are adequate and proportionate to the risks posed to the business.

“It appears that some basic security measures were not put in place to protect data sprawl. It is reported that AWS keys were stored in clear on Slack channels with limited access restrictions to said channels. This could be a case of a policy stating this shouldn’t happen.

“However, the policy is too onerous and nobody is reading it. Additionally, if there are ineffective technical controls in place to restrict employees or contractors from storing these keys on Slack in the first place, this should be reviewed.

“Lastly, if there is no effective training within the organisation of anyone who has access to systems then all the policies and technical controls in the world will be ineffective against human error. There are many challenges to the way teams collaborate with many tools like Slack and Microsoft Teams.

“They give us a space to store data and communicate more effectively. The issue seems to be that these are being implemented without a security overview before deployment and ongoing review of access and feature changes as they arrive.

“This goes to highlight the point that security should cover the three key pillars of people, process and technology. It also proves the point that security is not a ‘set and forget’ activity, and that constant monitoring and review is paramount to maintaining a strong security posture.

“The Okta breach in particular highlights that even a large-scale company with a large security budget can be breached. It is vital that everyone in your company takes security seriously at all levels – it is everybody’s responsibility, not just IT and security teams.

“Security should always be applied as a layered approach; we see this referenced as an onion, with the most sensitive assets at the centre. With poor configuration, however, all the layers can be circumnavigated with ease.

“This most recently-published breach will unfortunately not be the last, and comes off the back of high-profile hacks of NVIDIA, SAMSUNG and Vodafone to name just a few. Hacking groups like LAPSUS$ will continue to exploit the weaknesses of organisations.”