Well, more security news. It seems to come in waves.
First, Okta has indicated that they are investigating signs of a data breach. Data extortion group Lapsus$ claims to have acquired “superuser/admin” access to Okta.com and that it accessed Okta’s customer data. Screenshots reviewed by BleepingComputer indicate the breach may have occurred months ago, and Okta’s CEO then confirmed that in January 2022, the company “detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor”.
In a recent SEC filing, Okta has indicated it had over 15,000 customers. The company additionally stated, “Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January,”
This same hacking group claims to have leaked the source code for Bing, Cortana, and other projects stolen from Microsoft’s internal Azure DevOps server. Monday night, the hacking group posted a torrent for a 9 GB 7zip archive containing the source code of over 250 projects that they say belong to Microsoft. When posting the torrent, Lapsus$ said it contained 90% of the source code for Bing and approximately 45% of the code for Bing Maps and Cortana. Security researchers who have pored over the leaked files told BleepingComputer that they appear to be legitimate internal source code from Microsoft. Microsoft has indicated they are aware of the claims and are investigating.
Second, the Biden Administration has issued a specific warning about “the potential that Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we’ve imposed on Russia alongside our allies and partners.” The advisory specifically notes “evolving intelligence that the Russian Government is exploring options for potential cyberattacks.”
During the daily White House press briefing, Deputy National Security Advisor for Cyber and Emerging Tech Anne Neuberger said that intelligence was shared in a classified briefing with entities officials believe might be specifically targeted.
Why do we care?
Let’s start with the actionable stuff. The White House has been remarkably transparent about their intelligence around Russia and Ukraine on the physical war front, which helped minimize misinformation campaigns and head off any potential Russian pre-justification for conflict.
It’s reasonable to assume that’s the case again here. Those specific entities have been warned… and yet, everyone should be aware of the potential targeting and escalation. This is that “batten down the hatches” moment. I’d be remiss if I didn’t highlight good backups too.
Frank McGovern gave insights on specific tactics regarding Okta — 1. Share the information internally. 2. Collect and retain related logs. 3. Hunt logs for bad. 4. Rotate Okta privileged passwords. 5. Move on unless Okta reaches out to you that you are involved. And a sixth, let your customers know you did these things.
The attack avenue to Okta is customer service. People remain the vital link in security profiles – and minimizing the damage any person can inflict is a crucial skill. Zero trust security, people. I’d add to Frank’s direction guidance on using this as a time to examine least privilege access.
There’s actionable intelligence here – more than noise about disclosures or notification, which I’ve already seen pop up. Want better notifications? Support efforts to require them; don’t whine about it.