In the early hours of March 22, 2022, identity and access management industry leader, Okta, announced that its platform has been the victim of a targeted security attack. Per public social media and website posts, the company’s CEO and Founder, Todd McKinnon, issued a statement saying, “In late January 2022, Okta detected an attempt to compromise the account of a third-party customer support engineer working for one of our subprocessors. The matter was thoroughly investigated and contained by the subprocessor.” Further, McKinnon says the company believes that “there is no evidence of ongoing malicious activity.”
Why, then, is this news two months later? First, it could be that this is more than just an attempt at compromise— the attacker is now publicly stating their focus is to cause a security incident among “ONLY Okta customers”. Screenshots publicly shared by LAPSUS$, the threat actor group claiming responsibility for the attack, show details of an apparent internal Okta environment.
Lapsus$ claims to have obtained Okta customer data (BleepingComputer)
Second, as an industry leader, the potential damage that could result from a compromise of Okta (by LAPSUS$ or otherwise) will be widespread. Third, this is a warning to all companies, even the large, sophisticated security providers that are well resourced—like Okta— that they have a target on their back. Threat actors are coming after them. The bigger the provider, the more attractive it is as an exploit target.
If there is a “fourth” here, it is that LAPSUS$ is claiming to have also popped other big providers like Microsoft and LG Electronics (N.B., at the time of this writing, Microsoft is investigating the incident, as well). Whether or not these claims shake out—and only time will tell—it’s just more evidence that attackers are aiming for the most impactful objects.
Another day, another breach? Unfortunately, it seems so, but there are some things companies using Okta should do ASAP.
- Change Okta passwords immediately. This goes for admins/privileged user passwords and also users’ passwords, if the company is using Okta for SSO.
- Identify the scope of your Okta deployment. To fully understand if your company is/was impacted, you need to understand
- where Okta has been deployed
- what systems and applications Okta touches
- the security state of all connected SaaS app configurations
- Monitor activity. Through Okta directly or a connector/adapter/integration, look at trends, unusual access attempts, and any other suspicious activity. Monitor logs from third-party tools, too, to identify anomalous access attempts (users, devices, and systems), increased access requests, and other suspicious identity and access behavior.
Items numbered 1 and 3 on this list are likely part and parcel of your security program already. Number 2 may be the place companies get tripped up. Finding all connected SaaS applications may be time consuming if SaaS app inventories are not fully up to date and if the company does not have an automated method of collecting and correlating asset information.
What’s more, understanding the security state of all Okta configurations and the associated confirmation of the connected SaaS apps may be extremely time consuming, especially if manual methods are used to match configurations to internal and/or recommended policies.
Fortunately, Okta already has many security capabilities built into the platform to help identify anomalies and certain misconfigurations. What’s more challenging for Okta is identifying and tracking scope—how many applications and user devices are impacted.
The Axonius SaaS Management solution complements Okta’s native capabilities by allowing users to identify all users, devices, and third-party SaaS apps to which Okta has access and then providing contextualized data around the security state and potential ramifications of a policy violation or misconfiguration.
As with any reported security vulnerability or exploit, more details are certain to come. This breach, if it is a confirmed breach, does not need to be treated as a hair-on-fire event. Instead, it is important to recognize the ever-growing importance of SaaS applications in the enterprise, understand the security risks they pose, and formalize a security program that helps systematically identify:
- Which SaaS apps (as well as IT- and security-related enterprise systems) are present in the organization's IT ecosystem, and where in the network they reside
- Associated security gaps and policy violations
- The right enforcement actions for remediating a vulnerability before it becomes a breach, as well as the right mitigation steps if a breach has already occurred.