Sooooooo not-so-comforting news on the MFA front today. Looks like a Costa Rican contract support guy for Okta got pwned in January and his credentials were used by LAPSUS to do some exploration of Okta clients. The fact that LAPSUS is publishing this now means (1) they no longer have the access and one of the following:
(a) they got nothing of consequence other than password reset access and are just really trying to ruin Okta’s first quarter.
(b) they got things of consequence from Okta customers by gaining creds to their cloud services and are now preparing to reap the rewards, and just want everyone to have a bad day
(c) some middle ground between the two.
LAPSUS is kinda…sus. It’s not clear that they’re profiting at all from the breaches they’ve conducted (NVidea, Microsoft, and Samsung included) and leaked data from. It’s not even clear if they intended to. As Marcus Hutchins said:
https://platform.twitter.com/widgets.jsThere’s no group that confuses me as much as LAPSUS. They appear to be kids but are claiming responsibility for hacking top tier companies like Nvidia, Microsoft, and Okta. IDK how a group can be that competent and incompetent at the same time. I want it to be a PsyOp so bad.
— Marcus Hutchins (@MalwareTechBlog) March 22, 2022
For its part, Okta says access was limited to what support techs have access to…which is stuff like password reset and such. Buuuuuut this may not be the full story. Even so, it’s not clear that LAPSUS got any real access to customer sites (though they may have some other interesting things):
So this sort of has the feel of the old LulzSec days–targets of opportunity at high profile companies mostly for lulz and not profit really:
Step 1: Gain employee level access to codez and sh*t
Step 2: Reveal all the things on Telegram for the lulz
Step 3: ???????
Step 4: PROFIT
There are lulz, no doubt. Okta is not going to share all the IoCs because they’re Okta. We’re never going to know what actually happened from a reliable source. So just assume that everything is screwed, and while you lulz check all your access logs for the Boys from Brazil or wherever they are.
Fancy Bear Friends 