Okta has provided additional information on the timeline of the incident affecting their services.

In summary, the Okta service confirmed the breach by Lapsus$ group yesterday. As per Okta has confirmed ‘The Okta service is fully operational, and there are no corrective actions our customers need to take.

Okta has also concluded that a small percentage of customers – approximately 2.5 percent – have potentially been impacted and whose data may have been viewed or acted upon. Okta has identified those customers and are contacting them directly. If you are an Okta customer and were impacted, you would have received an email directly from Okta.

// What you should do  

Out of precaution, current Okta customers can follow the steps below to gather and analyze logs related to their Okta deployment. Default retention for Okta logs is 90 days, therefore storing these offline will allow for analysis as additional detail becomes available.

  • Collect and preserve all Okta logs, focus on the Okta System Log as it’s the main audit trail for Okta activities. Check https://developer.okta.com/docs/reference/api/system-log/ for more information.
  • Check for (privileged) accounts created around the time of the suspected breach – 21 January 2022 (Since as per the Twitter post by the Okta CEO, there is no evidence of ongoing malicious activity beyond the activity detected in January).
  • Search your audit log for suspicious activity focusing on your superuser/admin Okta accounts as they pose the largest risk.
  • If you outsource (parts) of your Okta deployment, check in with your vendor and make sure what 3rd party admin accounts are used and ask them for assistance.
  • Check if you currently have Okta support access enabled, you may consider disabling this feature for the time being. More information here: https://help.okta.com/oie/en-us/Content/Topics/Settings/settings-support-access.htm

// What Simplify Security MTR (Managed Threat Response) is doing

MTR is continuing to monitor our customer estates and will release updated broadcasts as information becomes available.

// References

https://www.okta.com/blog/2022/03/updated-okta-statement-on-lapsus/
https://sec.okta.com/articles/2022/03/official-okta-statement-lapsus-claims
https://github.com/OktaSecurityLabs/CheatSheets/blob/master/SecurityEvents.md

 

Recent blog posts

The Forgetting Curve – Security Training

The Forgetting Curve – Security Training

It’s something we all know instinctively, if a whole load of new information is thrown at you, your recall of it will be somewhat cloudy one week later. This is exactly what German psychologist Hermann Ebbinghaus showed back in 1885 when he developed the forgetting...

UPDATE: CVE-2021-44228 Apache Log4j 2 RCE – log4shell

UPDATE: CVE-2021-44228 Apache Log4j 2 RCE – log4shell

Since the news of this critical RCE (CVE-2021-44228) in Apache log4j was made public on Friday, Simplify Security's MTR team has been investigating activity to improve detection and response capabilities. As a quick summary, this vulnerability results from how log4j...

CVE-2021-44228 Apache Log4j 2 RCE – log4s

CVE-2021-44228 Apache Log4j 2 RCE – log4s

On December 9, 2021, the Apache Log4j project’s GitHub publicly disclosed a high severity vulnerability that impacts Apache Log4j 2 versions 2.0 to 2.14.1.   The vulnerability allows for unauthenticated remote code execution on Log4j 2, an open-source Java logging...