Authentication security vendor Okta is investigating claims by a prolific ransomware group that it had admin access to its back-end systems for months, potentially enabling it to target a range of big-name companies.
The Lapsus group has in recent weeks revealed breaches of big brand tech companies including Nvidia, Samsung, Ubisoft and Vodafone. This week, the most recent emerged as Microsoft after the group claimed to have leaked 37GB of the tech giant’s source code online.
Concerns are now emerging that it was the group’s compromise of multi-factor authentication specialist Okta that enabled it to access so many tech companies over such a short period of time.
Lapsus screenshots reshared on Twitter indicate that the group had “superuser” or admin access to Okta.com.
“For a service that powers authentication systems to many of the largest corporations (and FedRAMP approved) I think these security measures are pretty poor,” it wrote. “Before people start asking: we did not access/steal any databases from Okta – our focus was only on Okta customers.”
Alongside superuser rights, the group’s screenshots purportedly show that they had access to Okta’s AWS, Jira, Confluence, Zoom, Salesforce, Splunk, Google Workspace and other internal enterprise accounts.
One of them is dated 21 January 2022, indicating that Lapsus had been active inside the company for at least two months. It could be that it is publicizing the fact now because its access rights have finally been revoked.
The intel also indicates that it was a contractor’s account that was initially compromised, enabling the ransomware actors to infiltrate Okta’s network and ultimately target its customers.
Lapsus posted the Microsoft leak to its Telegram channel on Sunday, showing that it managed to compromise an Azure DevOps server containing source code for Bing, Cortana and other projects.