What do we know by now?
According to official statement from Okta, the authentication services company is investigating a breach to their systems, after the Lapsus$ group published a message in their official telegram group, claiming they have breached the company but “didn’t steal/access any Okta database”. The target of the attack, according to the group, wasn’t Okta but its customers.
Source: Telegram
Potential impact of a disastrous magnitude, felt worldwide
Thousands of companies use Okta to secure and manage their identities. This means in practice that Okta manages vast amounts of users globally. Compromises of this magnitude can have a severe impact globally and create a chain reaction in enterprises in which the identities of their employees and contractors are potentially compromised.
Through private keys retrieved within Okta, the cyber gang may have access to corporate networks and applications. Hence, a breach at Okta could lead to potentially devastating consequences which are still to be seen or exposed at this point.
Lapsus$ strikes again
Lapsus$ is a South American threat actor that has recently been linked to cyber-attacks on some high-profile targets. The cyber gang is known for extortion, threatening the release of sensitive information, if demands by its victims aren’t made. The group has boasted breaking into Nvidia, Samsung, Ubisoft and others.
Details of how the group managed to breach these targets has never fully been explained.
If true, the breach at Okta may explain how Lapsus$ has been able to achieve its recent successful run.
What should you do to if you are using Okta to authenticate to Check Point Products?
Check Point Products (management console and remote access clients) can be accessed thorough Okta authentication.
While this breach is still being investigated we recommend Okta customers to review auditing and log-in activities done recently within Check Point products.
Management Consoles:
· Infinity Portal (portal.checkpoint.com)
· Click on global properties > Audit > select Login
·
Infinity Portal logins example
· CloudGuard Management Console: (secure.dome9.com)
· Identity awareness login/logout logs and traffic logs with identity info can be reviewed on Smart Console
VPN / remote access products:
Harmony Connect – Customers can view user login events in Harmony Connect logs:
· For internet access and Network-Level remote access:
Review Log In events under Internet & Network Access > Traffic Logs
· For Application Level access (clientless):
System Login events under Application Access > Session Logs
· Check Point Mobile Access Blade
· Check Point VPN
Check Point Products Help You to Protect Against Compromised Identities
Check Point offers various solutions to protect from compromised identities and detect compromised identities and suspicious identity behavior
· Cloud Guard Intelligence – Continuously analyzes account activity across cloud services (GCP,AWS & Azure) detecting anomalies that may indicate compromised identities.
· Cloud Guard Posture management provides a IAM Safety capability that enables an AWS IAM Dynamic Authorization solution, providing protection against malicious cloud control plane attacks and unintentional privileged user error.
The full extent of the cyber gang’s resources should become clear in the coming days, as well as the extent of this breach.
Lotem Finkelsteen, Head of Threat Intelligence and Research at Check Point Software:
“Lapsus$ is a South American threat actor that has recently been linked to cyber attacks on some high-profile targets. The cyber gang is known for extortion, threatening the release of sensitive information, if demands by its victims are not made. The group has boasted breaking into Nvidia, Samsung, Ubisoft and others. How the group managed to breach these targets has never fully been clear to the public. If true, the breach at Okta may explain how Lapsus$ has been able to achieve its recent string successes. Thousands of companies use Okta to secure and manage their identities. Through private keys retrieved within Okta, the cyber gang may have access to corporate networks and applications. Hence, a breach at Okta could lead to potentially disastrous consequences. If you are an Okta customer, we strongly urge you to exercise extreme vigilance and cyber safety practices. The full extent of the cyber gang’s resources should reveal itself in the coming days.”
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.