Okta Breach Update

Many of you will have seen various articles regarding the Laspsus$ extortion group and recently publicised breaches. LAPSUS$ is a relatively new cybercrime group specialising in stealing data from large companies and threatening to publish it unless a ransom demand is paid. The group denies any state links or interest in politics as their activities suggest a loosely collected group compared to a disciplined organisation. The group have gained notoriety by compromising several high-profile companies in the technology sector, including the identity management platform Okta. eacs would like to confirm that we do not use Okta as an identity management tool.

Lapsus$ have made public claims that they had gained access to Microsoft and exfiltrated portions of source code. Microsoft has confirmed that no customer code or data was involved in the observed activities. Their investigation found that a single account had been compromised, granting limited access. Microsoft’s cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity. Microsoft does not rely on the secrecy of code as a security measure, and viewing source code does not lead to the elevation of risk. Microsoft was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated action allowing intervention to interrupt the actor in mid-operation, limiting broader impact.

For a long time now, eacs has been recommending that all our clients enforce Multi-Factor Authentication and Conditional Access as a means to secure your environment, and incidents such as this put the need for this very much in the spotlight. Based on further analysis, eacs is recommending that all clients consider the following steps:

• Increase your insider threat monitoring. eacs can assist you in strengthening your defence by putting in place machine learning detection that has been trained on normal system activities to alert when employees are doing something outside their usual routine or potentially going rogue.  
• Implement security education and awareness training to your users to recognise social engineering attacks and identify phishing
• Segregate your network with distinct trust levels and implement access control with a need to know basis on your environment
• Use an authentication app to secure your 2FA login codes rather than telephony-based MFA methods to avoid risks associated with SIM jacking.
• Strengthen and monitor your cloud security posture by implementing Conditional Access and session risk configurations such as blocking high sign-in risks
• Establish operation security processes such as Incident response communications.
• Patch all systems and applications. eacs can confirm that we are applying all system and security patches as required for all clients for whom we provide this as part of their managed service.

If you are concerned or have any questions, please don’t hesitate to contact your Service Delivery Manager or a member of our team on 0800 8047 256.