Published:
24 March 2022
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2022.0073 Lapsus$ targeting organizations for data exfiltration and destruction 24 March 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Lapsus$ Okta incident Resolution: Mitigation OVERVIEW What's happening? Okta, Inc. a publicly traded identity and access management company is investigating a digital breach after LAPSUS$ ransomware group shared screenshots of what they said was internal information. Okta, Inc. blogged claiming the screenshots originated from a device owned and managed by third-party provider, Sitel Group [2]. IMPACT What should I do? Be alert, but not alarmed. Microsoft has released a detailed blog on the attack [1]. The recommendations from the Microsoft blog are: 1. Strengthen MFA implementation 2. Require healthy and trusted endpoints 3. Leverage modern authentication options for VPNs 4. Strengthen and monitor your cloud security posture 5. Improve awareness of social engineering attacks 6. Establish operational security processes in response to DEV-0537 intrusions MITIGATION Review and act accordingly. What is AusCERT doing? 1. Indicators of compromise related to any previous LAPSUS$ attacks will be shared with our members through CAUDIT (AHECS) ISAC MISP and AusMISP. You can retrieve this information via the automated API method or by logging in to the GUI and viewing events. 2. AusCERT's ADIR (Daily Intel Report) contains news articles which inform about current events 3. We'll continue to provide incident response and advice REFERENCES [1] DEV-0537 criminal actor targeting organizations for data exfiltration and destruction https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/ [2] Okta says third-party breach may have impacted up to 366 customers https://www.itnews.com.au/news/okta-says-third-party-breach-may-have-impacted-up-to-366-customers-577767 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYjvQMONLKJtyKPYoAQhvIhAAm6MdkaT6j9M77gSqJs083H8R2WkDoUOf vvIBWg7l3NvAZquQyH/kpIhrEMAiMvIece4elrqrhIVRh6R32fS6bhEgLpdjv0ou rx7BDNyFk2f0lqtnE+v3y2Bq8cL+JnoK16k88/nR6hE4kBwchW9/DIEJvwbl6bNx m128nUXUOSJDBt0a3Q1QEE+YRXhIV+NRasXUln5BdUELyu7O46gLdEFmDFB2+yGO 7BohRKHg7DAqdvOYZl06cxhA0Q83ppmZ1mZRBrQGxAKOJlWKc6RARoBTo6WPVdtg /NI3pinYUWj/Qwupswkmvt85jV7aA0l3wxTD1cKFBAFrYLhcE02ZVGVxoqIGarto nwJZM1KQpUEJaD9lo/FSI8iTYzrIxoamegnhRpQUEHPfOeYbijPtGKFhHCBw1usJ iP8Rw6BLEI/0s/4J1h0By6AjlPws5qeYSpbqR/bBwm9Dxj+H1UsS8qEThh6YTzBa sGO+duIjzqUm6Sld4ZTwu8qdZvNshhFML757FZ0N04IuTJBbn2M7kyrSt+XtwOuD CAuZ3AIuLj8G0dSLWatZFfV2jWq4PvhtvYkK0a6WRPc8mEAxUDGsmfYDmJj17Y3G VX4GPe4zsgh78IJ9r31UaeUwLVZJgXGfFzZH0WeByR4mvRSrTvb0OcTsD9YVMiVg idukmYD7UQw= =JUxB -----END PGP SIGNATURE-----