• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Subscribe
  • Project of the Week
  • About Us
    SEARCH
IT Infrastructure, Network Security, News

What We Know So Far About Okta, Microsoft and Lapsus$

Microsoft and Okta are investigating after Lapsus$ hacking group posts screenshots of purported security incidents.

March 22, 2022 Zachary Comeau Leave a Comment

MIcrosoft Okta Lapsus$

This article has been amended to reflect an updated statement on the incident from Okta. 

After screenshots claiming to stem from security breaches at IT giant Microsoft and identity and authentication provider Okta, both companies are investigating possible attacks from the Lapsus$ hacking group.

In statements to various media outlets, the companies say they are investigating after screenshots purporting to be from the companies’ internal environments were posted to the Lapsus$  group’s Telegram channel this week.

Here is what we know so far.

Lapsus$ claims to have accessed, leaked Microsoft source code 

According to Bleeping Computer, the Lapsus$ hacking group claims to have penetrated Microsoft’s environment and stolen source code for Bing, Cortana and other projects from Microsoft’s internal Azure DevOps server. After a screenshot was posted to the group’s Telegram channel, Lapsus$ posted a torrent for a 9 GB 7zip archive wit source code from over 250 projects allegedly belonging to Microsoft, including Bing, Bing Maps and Cortana.

The files appear to be legitimate, and some contain emails and documentation that were being used by Microsoft engineers to publish mobile apps, according to Bleeping Computer. Microsoft is investigating the claims.

Microsoft has yet to release any public statements, but has told several news outlets that it is aware of the reports and is investigating.

Update (3/22, 8:30 p.m.)

Microsoft has released another statement, saying the company’s investigation found that “an account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity.” 

The company also released a blog post detailing Lapsus$’ activity.

Okta: Lapsus$ activity may be from January security incident that was contained

In addition to Microsoft, Lapsus$ has posted screenshots of what appears to be the internal websites of Okta, an identity solutions leader, which caused many in the cybersecurity community to express alarm on social media overnight.

If Okta is compromised, the company’s software could be used in a supply chain attack against the company’s “hundreds of millions” of users and “thousands” of customers, including some very large companies, such as Major League Baseball, T Mobile, Moody’s, Hewlett Packard Enterprise, Sonos, FedEx, Ally Financial and other high-profile organizations.

Posting to Twitter, Okta CEO Todd McKinnon said the screenshots shared on Lapsus$’s Telegram channel are believed to be connected to an attempted compromise of a third-party customer support engineer from January. An Okta spokesperson sent the same statement to us when we asked for more information.

“The matter was investigated and contained by the subprocessor,” McKinnon wrote. “We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.”

Update (3/22, 2:07 p.m.)

Okta released an updated statement later Tuesday, claiming the Okta service was not breached and that customers don’t need to take any action. The full statement is below in full:

The Okta service has not been breached and remains fully operational. There are no corrective actions that need to be taken by our customers.

In January 2022, Okta detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider. As part of our regular procedures, we alerted the provider to the situation, while simultaneously terminating the user’s active Okta sessions and suspending the individual’s account. Following those actions, we shared pertinent information (including suspicious IP addresses) to supplement their investigation, which was supported by a third-party forensics firm.

Following the completion of the service provider’s investigation, we received a report from the forensics firm this week. The report highlighted that there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop. This is consistent with the screenshots that we became aware of yesterday.

The potential impact to Okta customers is limited to the access that support engineers have. These engineers are unable to create or delete users, or download customer databases. Support engineers do have access to limited data – for example, Jira tickets and lists of users – that were seen in the screenshots. Support engineers are also able to facilitate the resetting of passwords and MFA factors for users, but are unable to obtain those passwords.

We are actively continuing our investigation, including identifying and contacting those customers that may have been impacted. There is no impact to Auth0 customers, and there is no impact to HIPAA and FedRAMP customers.

We take our responsibility to protect and secure our customers’ information very seriously. We are deeply committed to transparency and will communicate additional updates when available.

Lapsus$ has claimed big targets, so organizations should be very vigilant

According to Bleeping Computer and Reuters, Lapsus$ allegations of penetrating internal systems at Okta and Microsoft appear to be credible. Particularly in the case of Okta, where screenshots purportedly show Okta’s internal tickets and Slack chats.

The Lapsus$ group has been very active in recent months, with several confirmed cases of compromise against very large companies.

According to Bleeping Computer and these companies’ own public statements, NVIDIA, Samsung, Vodafone, Ubisoft and Mercado Libre have all been recent victims of the hacking group, with source code and sensitive data the target.

Okta customers should remain very vigilant until the company releases more information about the incident.

Tagged With: Cybersecurity, Identity, Lapsus$, MFA, Microsoft, Okta, ransomware

Related Content:

  • ChatGPT, OpenAI, Artificial Intelligence, AI development Pump the Brakes on AI Development, Tech and…
  • Barracuda networks ransomware, cyberinurance Ransomware Actors May Be Targeting Organizations With Cyber…
  • Bitwarden Secrets manager Bitwarden Releases Beta of Secrets Manager for DevOps…
  • AVer PTZ cameras, the PTZ310UNV2 and PTZ310UV2. AVer Introduces 4K 12X AI PTZ Cameras

Free downloadable guide you may like:

  • Four IT Trends That Will Define 2023Expert Series: Four IT Trends That Will Define 2023

    Learn about four key technologies we identified as critical to your IT organization’s success in 2023, as well as how to invest in new innovations emerging from each.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Get the FREE Tech Decisions eNewsletter

Sign up Today!

Latest Downloads

Four IT Trends That Will Define 2023
Expert Series: Four IT Trends That Will Define 2023

Learn about four key technologies we identified as critical to your IT organization’s success in 2023, as well as how to invest in new innovations ...

Harnessing the Power of Digital Signage
Harnessing the Power of Digital Signage

Choosing the best solutions for messaging, branding, and communicating in today’s content-everywhere landscape

Blueprint Series Cover: What works for hybrid work
Blueprint Series: What Works for Hybrid Work

Download this free resource to learn about how IT leaders can effectively manage and implement a hybrid work model.

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!
Sharp Microsoft Collaboration HQ Logo

Learn More About the
Windows Collaboration Display

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Subscribe to the Newsletter
  • Contact Us
  • Media Solutions & Advertising
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSTERMS OF USEPRIVACY POLICY

© 2023 Emerald X, LLC. All rights reserved.