Cyber criminals from the Lapsus$ group claim to have compromised access management systems from major provider Okta. As evidence, they have released screenshots that are said to have been taken through the information system. What's next?
Cyber criminals belonging to the LAPSUS$ extortion group have released screenshots allegedly created through the Okta company's information system. If the claims are true, the attackers not only gained access to the company's website, but also to a number of other internal systems, including some critical infrastructure.
LAPSUS$ claims not to have stolen company-related data; rather, their attack was aimed at the company's customers. Judging by the information on the screenshots, the attackers already had access to the systems in January 2022.
What is Okta and what makes the data leak so dangerous?
Okta develops and maintains identity and access management systems, including a cloud-based single sign-on solution. A large number of large companies use Okta's solutions.
Kaspersky experts believe that cybercriminals' access to Okta's systems could explain a number of important data leaks by other large companies, which supporters of the LAPSUS$ group have already admitted.
How do cybercriminals gain access to Okta's systems?
There is currently no conclusive evidence that the criminals actually gained access to the company's systems. According to an official statement from Okta, the company's specialists are currently conducting an investigation into the incident. Details will be communicated once this is complete. The released screenshots are believed to stem from an incident that took place in January, in which an unknown actor attempted to compromise the account of an external contractor's technical support agent.
On March 23, 2022, LAPSUS$ publicly responded to Okta's official statement, accusing the company of whitewashing the scope of the data leak.
Who is behind the cybercrime group LAPSUS$?
LAPSUS$ rose to prominence in 2020 when the group compromised the systems of the Brazilian Ministry of Health. It is therefore very likely that LAPSUS$ is a Latin American cybercrime group that steals information from large companies and demands a ransom to recover it. If victims refuse to pay, the criminals make the stolen information public on the Internet. Unlike many other ransomware groups, LAPSUS$ does not encrypt the stolen data, but only threatens to destroy the data in case of refusal to pay.
Notable companies that have already fallen victim to LAPSUS$ include Nvidia, Samsung and Ubisoft. Additionally, the group recently released 37GB of code believed to be internal Microsoft projects.
LAPSUS$ with self-promotion?
It is currently not possible to say with absolute certainty whether the incident actually happened. In itself, the release of screenshots is a rather strange move that could be aimed at self-promotion by the criminals or tarnishing the company's reputation. In addition, it is possible that in this way the group is simply trying to obfuscate the true method behind the Okta attack.
Further information on Lapsus$ and its procedure can also be found online at Kaspersky.
More at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/