News In Context

Security Vendor Okta And Its Clients Are Targeted By Cyber Crime Group

As companies gear up for possible cyber attacks from Russia they were surprised this week by news that security vendor Okta had been hacked by a cyber crime group. The fear is that the breach may have used as a springboard for attacks on some of Okta’s 15,000 clients around the globe.

The alleged masterminds behind cyber gang Lapsus$, a relatively new and feared hacker cyber-crime gang which has successfully breached major tech firms like Microsoft, Nvidia and Okta, are a group of UK teenagers who were arrested by City of London Police March 24. A 16-year-old from Oxford, who has been accused of being one of the leaders of Lapsus$,  is alleged to have amassed a $14 million fortune from hacking.

 The key takeaway is that cyber attacks can come from anywhere and no one is immune from them, including security suppliers.

Security experts say the real target of Lapsus$’s  latest attack was Okta’s customers. Okta, an identity and access management provider that enables single sign on, is highly lucrative for an attacker as once they have access to an Okta account they can get access to every application that uses the single sign on authentication mechanism. That could include email, chat, HR systems, customer support systems, and so much more, says Stav Pischits, CEO of Cynance and founder of Cyber Club London.


Worse, the screenshots released by LAPSUS$ were dated 21st January, meaning the cyber crime gang have potentially lurked undetected in Okta users’ networks for two months, which is plenty of time for them to do their damage, and once again highlighting just how long the dwell time can be for intruders within organizations’ networks, and demonstrating the importance of monitoring and threat hunting solutions that go beyond basic prevention, says Pischits.

Lapsus$’s initial claim of a breach came with a warning for Okta’s clients. The group said on Telegram that “our focus was ONLY on Okta customers” as opposed to Okta itself.

On Tuesday morning, Okta Chief Executive Todd McKinnon said on Twitter that the company believed screenshots posted alongside the message from Lapsus$ were connected to suspicious activity Okta had seen in January but didn’t disclose.“The Okta service has not been breached and remains fully operational,” Chief Security Officer David Bradbury said in a March 22 blog post. “There are no corrective actions that need to be taken by our customers.”

Laspsus$  publicly contradicted Okta’s version of events, on its Telegram channel, which has 45,000 followers. “I’m still unsure how it’s an unsuccessful attempt?” Lapsus$ said in its public taunt. “Logged on to superuser portal with the ability to reset the passwords and MFA (multi-factor authentication) of 95% of clients isn’t successful? “

Okta then issued a second statement acknowledging that it was in fact breached and 2.5% of its 15,000 customers may have been impacted. Okta’s Chief Security Officer David Bradbury said in a series of blog posts that the “maximum potential impact” was to 366 customers whose data was accessed by an outside contractor.

The contractor, the Miami-based Sitel Group, employed an engineer whose laptop the hackers had hijacked, Bradbury said, adding that the 366 figure represented a “worst case scenario” and that the hackers had been constrained in their range of possible actions.

Security experts say more investigation is needed to determine the full impact of the hack.
Pischits says the lessons are:

*Double check Okta and other access system logs for elevated privilege account activity, looking for unauthorized access to systems by legitimate user accounts. Then follow that access through systems to understand the full extent of what has been accessed.

*Examine processes. Are access rights allocated at the granular level, assigning individual rather than team based access? Does everyone really need the access or rights they are given?

There are lessons, too, in how companies that are breached should communicate. Okta’s handling of its hack is an example of what not to do, according to Jason Ozin, Group Information Security Officer at PIB Group, a group of insurance advisory businesses. His message to Okta? “Don’t be shifty! Don’t lie,” he wrote in a LinkedIn posting. He points to the first Okta statement and  the update.

In its first statement the company said it was not breached; it knew about the attack in January and stopped it, there was no damage and it will investigate further. “Already here there are questions,” says Ozin. “ If you knew about it in January why are you only now investigating? Because someone has told the world and you were hoping it was going away?”

Okta’s second statement said it was in fact breached and in the process of informing clients. It added that “we are sharing with you because of our integrity, and transparency.”

Ozin acknowledged that being a security officer at organization like Okta during such a trying time , is an unenviable job. “But don’t tell everyone that you are transparent when you are blatantly not, and don’t release a statement that you know won’t stand up to scrutiny later,” he wrote in his LinkedIn posting, which ended with the phrase “Keep digging.”

 Several customers have publicly chastised Okta for a slow drip of information that left them uncertain about what to do, according to The Wall Street Journal.  The criticism of the digital authentication firm’s slow response to the intrusion has negatively impacted the public company’s share price. “This, going forward, will be a case study in mismanaging a third-party breach,” Jake Williams, a security analyst with IANS Research, a consulting firm, told the Journal. “You control the narrative, not your customers, not your vendors, not threat actors.”

IN OTHER NEWS THIS WEEK:

Metaverse Fashion Week Draws Big Brands, Startups

Brands including Forever 21, DKNY and Estee Lauder have joined in the first Metaverse Fashion Week, which began Thursday and runs through Sunday in the virtual world called Decentraland.D igital-only fashion shows have taken place in the past, but the four-day event is one of the highest-profile efforts to gather big brands around—or inside—the concept of the metaverse, a virtual world where people can interact, work and shop. Luxury fashion brands and smaller startups are using the virtual event to host fashion shows and open stores in Decentraland, selling both physical items deliverable in the real world and digital goods accompanied by non-fungible tokens, the digital assets known as NFTs.

Volvo USA Uses Israeli AI Tech To Run Vehicle Inspections In Seconds

Swedish carmaker Volvo announced it has partnered with the Israeli vehicle inspection systems developer, UVeye, to implement the company’s tech in the US at drive-through inspection stations on the East Coast. Volvo will equip US dealers with these high-speed, camera-based systems, which will examine the vehicles and produce reports on the spot. The company aims to expand to include most of Volvo’s 280 independent retail locations across the US.

Goldman Sachs, Galaxy Digital Announce Milestone Crypto Trade

Goldman Sachs iss pushing further into the nascent market for derivatives tied to digital assets.The firm is the first major U.S. bank to trade crypto over the counter, CNBC was first to report. Goldman traded a bitcoin-linked instrument called a non-deliverable option with crypto merchant bank Galaxy Digital, the two firms said Monday.The move is seen as a notable step in the development of crypto markets for institutional investors, in part because of the nature of OTC trades. Compared with the exchange-based CME Group bitcoin products Goldman began trading last year, the bank is taking on greater risk by acting as a principal in the transactions, according to the firms.

EU Takes Aim At Big Tech’s Power  With Landmark Digital Act

The European Union is finalizing one of the world’s most far-reaching laws to address the power of the biggest tech companies, putting in place rules that will affect app stores, online advertising, e-commerce, messaging services and other everyday digital tools. The law, called the Digital Markets Act, would be the most sweeping piece of digital policy since the bloc put the world’s toughest rules to protect people’s online data into effect in 2018. The legislation is aimed at stopping the largest tech platforms from using their interlocking services and considerable resources to box in users and squash emerging rivals, creating room for new entrants and fostering more competition.What that means practically is that companies like Google could no longer collect data from different services to offer targeted ads without users’ consent and that Apple might have to allow alternatives to its App Store on iPhones and iPads. Violators of the law, which would most likely take effect early next year, could face significant fines.The Digital Markets Act is part of a one-two punch by European regulators. As early as next month, the European Union is expected to reach an agreement on a law that would force social media companies such as Meta, the owner of Facebook and Instagram, to police their platforms more aggressively.

U.S. Securities and Exchange Commission Issues Proposed Rule Mandating Corporate Disclosure Of Greenhouse Gas Emissions

The U.S. Securities and Exchange Commission issued a 500-plus-page proposed rule Monday that would mandate corporate disclosure of greenhouse gas emissions. It builds on years of voluntary efforts.With publicly traded companies responsible for 40% of emissions, investors have been pressing the regulator for rules. The plan is “the most extensive, comprehensive and complicated disclosure initiative in decades,” said Meredith Cross, a former SEC director who’s now a partner at law firm WilmerHale.The SEC will review comments from the public during the next 60 days, and may revise its proposal before holding a vote to finalize the rule.

The Netherlands’ House Of Representatives Passes A Motion To Legalize Samples Of Cell-Cultured Meat

The Netherlands’ House of Representatives passed a motion to make the sampling of cell-cultured meat legal. The passing of the motion, proposed by the D66 and VVD parties, is being hailed by Dutch cell-cultured meat companies as an important step towards legalizing the sale of cell-cultured meat by retail businesses. Maastricht, Netherlands-based Mosa Meat was co-founded by Mark Post, who kickstarted the lab-grown meat industry when he created the world’s first cell-cultured hamburger back in 2013. The company applauded the move by its home country’s government as a first step towards legalizing the consumption of the product. The move “speaks volumes about the momentum that is building for innovation in sustainable meat production,” the company told Dutch TV organization RTL.

To read more of The Innovator’s News In Context articles click here.

About the author

Jennifer L. Schenker

Jennifer L. Schenker, an award-winning journalist, has been covering the global tech industry from Europe since 1985, working full-time, at various points in her career for the Wall Street Journal Europe, Time Magazine, International Herald Tribune, Red Herring and BusinessWeek. She is currently the editor-in-chief of The Innovator, an English-language global publication about the digital transformation of business. Jennifer was voted one of the 50 most inspiring women in technology in Europe in 2015 and 2016 and was named by Forbes Magazine in 2018 as one of the 30 women leaders disrupting tech in France. She has been a World Economic Forum Tech Pioneers judge for 20 years. She lives in Paris and has dual U.S. and French citizenship.