Organizations seek answers to yet another cyber incident affecting a critical third party supplier. This piece contains a description of the recent cyber attack affecting Okta and recommended steps for all organizations as they seek to mitigate third party supply chain risk.
How Did Hackers Breach Okta?
On March 21st, 2022, the digital extortion group Lapsus$ claimed it had gained access to an administrative account for Okta, the identity management platform. According to Okta, thousands of organizations worldwide use its identity management platform to manage employee access to applications or devices. A breach of Okta’s systems represents a significant risk to Okta’s customers and the broader supply chain.
Okta issued multiple statements describing the cyber attack and its impact to customers. The initial incident occurred between January 16th-21st, 2022. On March 22nd, Okta stated that it “detected an attempt to compromise the account of a third-party customer support engineer working for one of our subprocessors.” This statement suggests that Okta was itself the victim of a third party incident. Okta later clarified its earlier release, stating that “the Okta service has not been breached.”
According to the latest update, Okta support engineers have limited permissions and access, which would reduce the likelihood that an attacker could breach the Okta system itself. Okta is still working on their own investigation and reaching out to customers who may have been impacted. Okta believes that the maximum potential impact is approximately 2.5% of customers.
What Should Organizations Do Next?
In light of the significant role that Okta plays within the enterprise, many organizations remain concerned about the potential implications to their own cybersecurity posture, and are struggling to understand their potential risk and exposure, including throughout their third parties landscape.
Bitsight recommends organizations pursue the following four steps:
1. If you are an Okta customer, work with Okta to determine if your organization was one of the organizations accessed by the intruders.
2. If you are an Okta customer, search Okta logs for unusual events, such as user impersonation, password or multi-factor authentication resets or changes.
3. If you are an Okta customer, search applications using Okta for authentication for unusual password or multi-factor resets or changes, particularly between January 16th and 21st, 2022 (the critical time frame identified by Okta). However, it is also important for customers to extend their search beyond these dates and look for other signs of intrusion to determine if the attackers were able to further penetrate and persist in your environment.
4. For all organizations, identify potential exposure to Okta within your supply chain. Leverage the Bitsight platform to identify which vendors in your third-party ecosystem are Okta users and may have been affected. Bitsight’s “Service Providers” filter allows customers to search for Okta users. Bitsight encourages organizations to contact impacted third parties to confirm their use of Okta, determine what steps are being taken to confirm or refute that they are impacted, and keep them apprised on the state of their investigation.
Bitsight will continue to update this Okta cyber attack blog as events warrant.