-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT Security Bulletin
Lapsus$ targeting organizations for data exfiltration and destruction
24 March 2022
AusCERT Security Bulletin Summary
Product: Lapsus$ Okta incident
Okta, Inc. a publicly traded identity and access management company is investigating a digital breach after LAPSUS$ ransomware group shared screenshots of what they said was internal information.
Okta, Inc. blogged claiming the screenshots originated from a device owned and managed by third-party provider, Sitel Group .
What should I do?
Be alert, but not alarmed.
Microsoft has released a detailed blog on the attack .
The recommendations from the Microsoft blog are:
1. Strengthen MFA implementation
2. Require healthy and trusted endpoints
3. Leverage modern authentication options for VPNs
4. Strengthen and monitor your cloud security posture
5. Improve awareness of social engineering attacks
6. Establish operational security processes in response to DEV-0537 intrusions
Review and act accordingly.
What is AusCERT doing?
1. Indicators of compromise related to any previous LAPSUS$ attacks will be shared with our members through CAUDIT (AHECS) ISAC MISP and AusMISP. You can retrieve this information via the automated API method or by logging in to the GUI and viewing events.
2. AusCERT's ADIR (Daily Intel Report) contains news articles which inform about current events
3. We'll continue to provide incident response and advice
 DEV-0537 criminal actor targeting organizations for data
exfiltration and destruction
 Okta says third-party breach may have impacted up to 366 customers
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----