Expand / Collapse search
Watch TV

Quotes displayed in real-time or delayed by at least 15 minutes. Market data provided by Factset. Powered and implemented by FactSet Digital SolutionsLegal Statement.

This material may not be published, broadcast, rewritten, or redistributed. ©2024 FOX News Network, LLC. All rights reserved. FAQ - New Privacy Policy

Cyber Security
Published

Okta warns 366 customers could potentially be impacted by Lapsus$ hack

Lapsus$ has also claimed responsibility for separate hacks against Microsoft and Nvidia

close
Paul Martini, CEO of iboss, cautions that some personal and professional information is vulnerable to a Russian cyber attack. video

Cyber security CEO warns 'door's wide open' for Russian attack

Paul Martini, CEO of iboss, cautions that some personal and professional information is vulnerable to a Russian cyber attack.

Okta Chief Security Officer David Bradbury warned on Wednesday that a total of 366 customers could potentially be impacted after hacking group Lapsus$ gained remote access to a support engineer's computer at third-party sub-processor Sitel from Jan. 16-21.  

MICROSOFT SAYS LAPSUS$ HACKERS GAINED ‘LIMITED ACCESS’ TO SINGLE COMPROMISED ACCOUNT

The authentication firm's security team received an alert on Jan. 20 that a new password was added to a Sitel employee’s Okta account from a new location. Okta's security team immediately investigated the alert, worked with its service desk to contain and reset the user's account and notified Sitel, which partnered with a forensic firm to perform an investigation. The investigation was conducted until Feb. 28, with findings given to Sitel on March 17.

On Tuesday, Okta received the complete investigation report from Sitel after Lapsus$ shared screenshots of its internal systems online. Okta's investigation determined that the screenshots were linked to the January incident and that Lapsus$ obtained remote access using a remote desktop protocol (RDP). 

"While the attacker never gained access to the Okta service via account takeover, a machine that was logged into Okta was compromised and they were able to obtain screenshots and control the machine through the RDP session," Bradbury said. "I am greatly disappointed by the long period of time that transpired between our notification to Sitel and the issuance of the complete investigation report. Upon reflection, once we received the Sitel summary report we should have moved more swiftly to understand its implications."

OKTA HACK: WHAT TO KNOW

According to Okta, Sitel's support engineers use an internally built application called SuperUser to perform basic management functions of Okta customer tenants. The program allows them to use customer support tools including Jira, Slack, Splunk, RingCentral, and support tickets through Salesforce. However, they are unable to create or delete users, download customer databases or access source code repositories. 

The 366 potentially impacted customers account for approximately 2.5% of customers whose Okta tenant was accessed by Sitel. Okta noted it would receive a report that shows actions performed on their Okta tenant by Sitel during the five-day window when Lapsus$ had access.

"As with all security incidents, there are many opportunities for us to improve our processes and our communications," Bradbury added. "I’m confident that we are moving in the right direction and this incident will only serve to strengthen our commitment to security."

GET FOX BUSINESS ON THE GO BY CLICKING HERE

As of Jan. 31, more than 15,000 customers across nearly every industry use the Okta Identity Cloud to secure and manage identities around the world, including more than 3,100 customers with an annual contract value greater than $100,000. 

Okta's customers include universities, nonprofits, government agencies, organizations with fewer than 100 employees and companies in the Fortune 50 with up to hundreds of thousands of employees. 

Ticker Security Last Change Change %
LULU LULULEMON ATHLETICA INC. 320.66 +1.14 +0.36%
GRUB NO DATA AVAILABLE - - -
JBLU JETBLUE AIRWAYS CORP. 5.97 +0.01 +0.17%
PTON PELOTON INTERACTIVE INC. 10.34 +0.61 +6.27%
SONO SONOS INC. 13.61 -0.03 -0.22%
TMUS T-MOBILE US INC. 246.94 +0.74 +0.30%

Examples listed on its website include Lululemon, Grubhub, JetBlue Airways, Peloton, Sonos and T-Mobile.

CLICK HERE TO READ MORE ON FOX BUSINESS

Lapsus$, also known as DEV-0537, steals sensitive data from its victims, which is used for extortion.

Its tactics include phone-based social engineering; SIM-swapping; accessing personal email accounts of employees; paying employees, suppliers, or business partners for access to credentials and multifactor authentication (MFA) approval; and intruding in the crisis-communication calls and internal communications platforms of their targets.

The group has targeted organizations across the globe in government, technology, telecom, media, retail, and health care sectors as well as individual user accounts at cryptocurrency exchanges. 

Ticker Security Last Change Change %
MSFT MICROSOFT CORP. 430.98 +7.52 +1.78%
NVDA NVIDIA CORP. 138.63 +0.38 +0.27%
UBSFY UBISOFT ENTERTAINMENT SA 2.4 -0.19 -7.23%

In addition to Okta, Microsoft revealed on Tuesday that Lapsus$ gained "limited access" to a single compromised account. Lapsus$ also previously claimed responsibility for a cybersecurity incident that stole Nvidia employee credentials and roughly 1 terabyte of company data. Other Lapsus$ victims have reportedly included Samsung, video game giant Ubisoft, Brazil's Ministry of Health, Portuguese media group Impresa and its weekly newspaper Expresso.