The Okta Hack: How Supply Chain Attacks Have Moved Underground

The business world has been abuzz about the Okta breach that occurred earlier this week. Okta was transparent about how it happened – and people have been questioning who is behind LAPSUS$, the group that carried out the attack. But there is a lot more to the story than meets the eye. At Cybersixgill, we see a growing and concerning trend. The Okta breach is one example of a significantly rapidly increasing number of supply chain attacks rooted in the underground. Unfortunately, like recent attacks on Nvidia and others, Okta is just the tip of the iceberg.

As is usually the case with these attacks, LAPSUS$ wasn’t interested in Okta itself. The Okta breach was a supply chain attack intended to gain access to customer credential data to start a ripple effect of attacks on Okta’s clients. The breach started with hackers gaining access to Sitel, one of Okta’s “sub-processors”, by compromising a Sitel endpoint device. Access to this endpoint, which contained the login credentials to Okta, was sold to the underground LAPSUS$ group through Initial Access Brokers (IABs). LAPSUS$ then used these credentials to log in to Okta and launch the data breach. This example demonstrates a growing trend of underground threat actors purchasing access to common SaaS applications and using them as their new beachhead to launch targeted malware – including data breaches, and ransomware and DDOS attacks – on targeted organizations.

At Cybersixgill, we actively monitor activities across numerous channels and forums in the deep, dark, and clear web, and we can see the signals of an attack in the making. For example, our team saw evidence of this ripple effect where VPN access to a major software company was sold on an IAB marketplace. Those credentials were leaked and sold in the underground just five days later for thousands of dollars. We highly suspect that these credentials were exposed as part of the ripple effect data exposure of the Okta attack.

Supply chain attacks are about infiltrating organizations through weak protection of third-party vendor applications. The SolarWinds attack in December 2021 is an example. But the new wave of attacks we’re seeing demonstrates the simplicity of penetrating and creating a beachhead without complex exploitation of software. Threat actors need only steal SaaS credentials and they’re in – which gives them access to a multitude of SaaS applications like Jira, AWS, Slack, Salesforce, and Citrix, to name a few. As we begin to see more and more examples of this, our aim is to ensure companies are prepared.

What you can do

You can take three essential steps to better protect your organization's systems and stay ahead of malicious actors.

Tighten security hygiene and password policies  Ensure that employees change their passwords regularly and frequently and don’t use the same passwords for work as for personal accounts. Most companies already have SSO solutions in place, which are not 100% failsafe (as the Okta breach demonstrated), but they add an extra step to improving security and are worth putting in place. 

Validate the security of your SaaS applications – both sanctioned and unsanctioned Sanctioned SaaS applications are tested and approved by IT. However, employees also use unsanctioned applications without going through proper channels. Therefore, it’s critical to test and validate applications on a frequent and continuous basis, as changes in your environment can impact their security. It would help if you were sure that the third-party apps you’re using are from a trusted provider and understand the security technology behind their software.

Take preemptive measures to discover when and where you have been compromised Threat intelligence should give you a thorough analysis of the apps you’re using, if they’re a target, and where you may have been compromised. This data allows you to preemptively stop an attacker in its tracks rather than perform damage control after an attack makes the headlines.

The timely and comprehensive threat intelligence that Cybersixgill provides is like having an early warning system in place, so you know if you’re targeted and if your systems are compromised. Once these activities are discovered, you can take action and stop the attackers before they impact your business.

If you are interested in having us perform an assessment of your environment to securely find out where vulnerabilities may be positioned, please contact us.