Illusive Blog March 30, 2022

How Did Okta Get Breached by the Lapsus$ Ransomware Family?

By Mark Jaffe

There’s a lot to be learned from what I expect will be one of the more talked about breaches of 2022 – the Lapsus$ compromise of Okta, a leading identity security provider. It has now been revealed that Lapsus$ leveraged identity as its attack vector, as we’ve seen become the case with almost all recent attacks. Just as identity is the new perimeter; identity also is the new vulnerability.

Reports of the breach emerged on March 21, 2022, after a security researcher posted images on Twitter that he had obtained from a Lapsus$ Telegram channel. These images revealed that Lapsus$ had obtained superuser/Admin access across several services. Lapsus$ editorialized their leaks, “For a service that powers authentication systems to many of the largest organizations, I think these security measures are pretty poor.”

On March 22, 2022 Okta CEO Todd McKinnon confirmed that Okta suffered a breach in January 2022. On March 23, 2022 Okta CSO David Bradbury published a blog detailing the attack. According to Bradbury, Lapsus$ compromised Okta by first compromising one of its third-party subprocessors. Approximately 366 of its corporate customers were affected by the breach. “We want to acknowledge that we made a mistake,” admits Okta.

How Did Lapsus$ Evade Detection?

On March 28, 2022, a portion of a Mandiant report surfaced on Twitter, which revealed that the Lapsus$ attack actually began as early as January 16, 2022. On January 19, 2022 Lapsus$ connected to the compromised host through an RDP session and then conducted a Bing search for “privilege escalation tools,” which the attacker then downloaded from Github.

On January 20, Lapsus$ downloaded a process hacker and then simply terminated the FireEye endpoint agent. Detecting the presence of an agent and then terminating it has become a common attack technique for bypassing endpoint protection, endpoint detection and response, and so forth.

Next, Lapsus$ searched for Mimikatz, a commonly used credential dumping tool, which it also downloaded from Github. In fact, many well-known penetration testing tools, such as Bloodhound and Cobalt Strike, which are intended to be used by red teams, are frequently used by ransomware families.

On January 21, Lapsus$ accessed an Excel spreadsheet titled “DomAdmins-LastPass.xls,” created a new account, and then added it to the TenantAdmin group, which they used to create a malicious email transport rule. The “DomAdmins-LastPass” naming methodology would suggest that this was a file of passwords for Domain Admins that was exported from LastPass, a password manager.

However, Sitel, the third-party Okta subprocessor that was compromised, has maintained that “there are no Indicators of Compromise (IoC) and there is still no evidence of malware, ransomware, or endpoint corruption.”

Of course, attackers don’t need malware when they can simply connect to a compromised host, download Mimikatz and steal away cached credentials. If it wasn’t for their brazen Bing searches for “privilege escalation tools” and “Mimikatz” there would be practically no fingerprints for this attack. But the lack of IoCs doesn’t make this breach any less effective. In fact, some would argue it was more effective because it raised so few red flags.

What Are the Most Common Attack Vectors for Ransomware?

We’ve said it before and we’ll say it again, identity is the number one attack vector for ransomware. But don’t just take our word for it. Thanks to the recent leaks from the Conti ransomware family, researchers have been able to translate its “hacker’s quick start guide.” According to this document, RDP is suggested as an “initial backdoor,” while Active Directory and Domain Controllers are the primary target for establishing persistence – just as we’ve seen in the Lapsus$ breach of Okta.

According to Illusive research, exploitable identity risks are present on 1 in 6 endpoints. For example, 13% of endpoints contain cached credentials, which can be easily exposed by tools like Mimikatz.

Who Protects the Identity Protectors?

An identity-first approach to security is imperative, but when even an identity security giant like Okta can be breached by exploiting its vulnerable identities then it is clear that there are still some pretty major gaps with the existing implementation of identity management solutions.

Enter Illusive’s identity risk management platform: Illusive SpotlightTM and Illusive ShadowTM, which enable organizations to automatically and continuously discover, prioritize, mitigate, remediate and protect against the identity risks that we discover in every organization.

Illusive Spotlight enables organizations to discover unmanaged, misconfigured, and exposed identity risks, such as local admin accounts that haven’t been enrolled in a privileged access management (PAM) solution, shadow admins, and cached credentials. Illusive provides the context organizations need to make an immediate reduction in their identity risk.

And for identity risks that can’t be remediated, such as legacy applications with hard-coded credentials, Illusive Shadow provides compensating controls that leave deceptive credentials on privileged hosts, delivering high-fidelity detection.

In the case of the Lapsus$ attack, you can see how Illusive’s agentless approach could not have been disabled, how Illusive Spotlight would have discovered and remediated cached credentials, and how Illusive Shadow would have planted deceptive credentials to trick Lapsus$ into interacting with them.

If you’re interested in learning more about your organization’s identity risks, contact Illusive today to request a complimentary identity risk assessment.