CyberArk’s Perspective on the January 2022 Okta Compromise

March 24, 2022 CyberArk Blog Team

CyberArk Perspectives on Okta Breach

Okta, a major Identity and Access Management vendor, has confirmed it was compromised in a targeted cyber attack in January 2022 by way of a third-party support engineer’s machine. This confirmation came on March 22 after the criminal group Lapsus$ shared screenshots online. This follows other high-profile incidents involving the same threat actor.

This incident serves as a sobering reminder that without exception, we are all a target — and there are no silver bullets. No one company, solution or technology can singlehandedly prevent relentless attacker innovation. As cyber defenders, we must communicate openly and quickly when things go wrong, remember that security is a “team sport,” and then forge ahead together with a shared mission and security-first mindset.

The following post outlines what is known about this incident to date, along with some practical steps to take if your Identity Provider (IdP) — no matter which one you use — is compromised.

A Brief Recap of the Okta Breach

In January 2022, threat actors compromised the endpoint of an Okta third-party support engineer and gained access to Okta customers’ data. The matter was discovered quickly but wasn’t made public until Lapsus$ posted screenshots online on March 22, 2022. Okta then confirmed the breach. This may have implications for customers using Okta for Single Sign-On and as an Identity Provider.

The Lapsus$ criminal group has risen quickly in notoriety due to its high-profile targets and unconventional approach. While underlying motivations and the full extent of damages are not yet understood, two things are clear: identity compromise played a key role in these incidents and the major technology companies involved were not the only intended targets. In the case of Okta, Lapsus$ specifically communicated they were actually targeting Okta’s customers.

4 Immediate Steps to Take if You Know or Suspect That Your Identity Provider Is Compromised

As malicious cyber activity increases, there’s an urgent need for every organization to proactively assume breach, harden systems and prepare for potential attacks — whether they target your organization directly or initially impact a third-party provider.

Identity Providers should be considered Tier 0 assets and be protected as such. If your organization’s Identity Provider is compromised or if you suspect it has been compromised, here are four steps that should be taken immediately to minimize exposure and impact.

Step 1: Scrutinize configuration changes made since the reported attack date. A simple configuration change is all it takes to switch up an entire authentication flow and give attackers persistent access. Be on the lookout for these specific indicators of compromise:

  • Any new MFA device deployments or device changes
  • MFA configuration changes: For instance, by compromising identities and user passwords to disable MFA to certain apps, threat actors could gain full access to these applications while circumventing MFA.
  • Identity Provider (IdP) configuration changes: If the URI (the connection between an SSO solution and IdP) and related configurations are changed, threat actors could gain persistent access to applications and services even if users’ passwords are changed.
  • Password and MFA reset attempts, particularly for privileged and administrative accounts. Assume all password reset attempts — successful or not — are under suspicion and reset all the passwords.
  • Permission and role changes and the creation of new users. If your IdP solution offers a risk-based access and risk-scoring mechanism based on anomalous access, evaluate all high-risk events and high-risk users in the system. These events may be a consequence of anomalous access by IP, location, device or impossible travel, to name a few examples. It’s also important to look for these changes in the target applications themselves; it can be more difficult to detect shadow admins created in these applications that enable direct login into those target apps. If your organization uses an Identity Governance and Administration (IGA) platform, this is a good time to perform an attestation exercise with it.

Step 2: Look for any unrecognized or malicious applications. If threat actors have access to the SSO platform, they could add a malicious app or replace an existing one, disguised as a legitimate application.  If a new application is added, there should be a governance process such as an approval process or notifications to multiple administrators enabled. Malicious apps can abuse the delegated permissions assigned to them after getting user consent. For example, a malicious application may request access to read email on Outlook or access to cloud-based storage.

Step 3: Implement least privilege to minimize potential damage and access that threat actors could gain by obtaining access tokens to different apps and services. Consider implementing just-in-time access and dynamic elevation capabilities to eliminate standing access and review least privilege fundamentals such as removing local admins from endpoints. This also means implementing MFA policies that comply with the highest level of Authenticator Assurance Levels (AAL3) for access to critical apps.

Step 4: Restrict access to sensitive applications from specific and managed devices to help limit access to these applications, including adding multi-access conditions on top of MFA such as IP and device health conditions as two examples. Least privilege management practices such as restricting RDP and remote access only to the Helpdesk, Privileged Access Management solution (PAM), Vendor Privileged Access and management subnets should also be followed.

The Security-First Path Forward

Today’s threat landscape demands a security-first mindset and an all-hands-on-deck effort. We stand ready alongside our security partners and peers, united in our mission to protect and defend what matters most.

We will continue to monitor this evolving situation and provide updates as additional information becomes available. For more details, join our webinar on April 6.

To learn how we are continuously enhancing our own cybersecurity posture, visit the CyberArk Trust Center.

Previous Article
Women in Identity Security Spotlight: Erica Smith, CyberArk SVP of IR and ESG
Women in Identity Security Spotlight: Erica Smith, CyberArk SVP of IR and ESG

March is Women’s History Month, a celebration of women’s past and present contributions to society, busines...

Next Article
Ransomware Rewind: From Floppy Disks to Ransomcloud Attacks
Ransomware Rewind: From Floppy Disks to Ransomcloud Attacks

From plug-and-play ransomware-as-a-service offerings to highly skilled operator-based attacks, ransomware i...