Published:
24 March 2022
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2022.0073
Lapsus$ targeting organizations for data exfiltration and destruction
24 March 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Lapsus$ Okta incident
Resolution: Mitigation
OVERVIEW
What's happening?
Okta, Inc. a publicly traded identity and access management company is investigating a digital breach after LAPSUS$ ransomware group shared screenshots of what they said was internal information.
Okta, Inc. blogged claiming the screenshots originated from a device owned and managed by third-party provider, Sitel Group [2].
IMPACT
What should I do?
Be alert, but not alarmed.
Microsoft has released a detailed blog on the attack [1].
The recommendations from the Microsoft blog are:
1. Strengthen MFA implementation
2. Require healthy and trusted endpoints
3. Leverage modern authentication options for VPNs
4. Strengthen and monitor your cloud security posture
5. Improve awareness of social engineering attacks
6. Establish operational security processes in response to DEV-0537 intrusions
MITIGATION
Review and act accordingly.
What is AusCERT doing?
1. Indicators of compromise related to any previous LAPSUS$ attacks will be shared with our members through CAUDIT (AHECS) ISAC MISP and AusMISP. You can retrieve this information via the automated API method or by logging in to the GUI and viewing events.
2. AusCERT's ADIR (Daily Intel Report) contains news articles which inform about current events
3. We'll continue to provide incident response and advice
REFERENCES
[1] DEV-0537 criminal actor targeting organizations for data
exfiltration and destruction
https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
[2] Okta says third-party breach may have impacted up to 366 customers
https://www.itnews.com.au/news/okta-says-third-party-breach-may-have-impacted-up-to-366-customers-577767
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYjvQMONLKJtyKPYoAQhvIhAAm6MdkaT6j9M77gSqJs083H8R2WkDoUOf
vvIBWg7l3NvAZquQyH/kpIhrEMAiMvIece4elrqrhIVRh6R32fS6bhEgLpdjv0ou
rx7BDNyFk2f0lqtnE+v3y2Bq8cL+JnoK16k88/nR6hE4kBwchW9/DIEJvwbl6bNx
m128nUXUOSJDBt0a3Q1QEE+YRXhIV+NRasXUln5BdUELyu7O46gLdEFmDFB2+yGO
7BohRKHg7DAqdvOYZl06cxhA0Q83ppmZ1mZRBrQGxAKOJlWKc6RARoBTo6WPVdtg
/NI3pinYUWj/Qwupswkmvt85jV7aA0l3wxTD1cKFBAFrYLhcE02ZVGVxoqIGarto
nwJZM1KQpUEJaD9lo/FSI8iTYzrIxoamegnhRpQUEHPfOeYbijPtGKFhHCBw1usJ
iP8Rw6BLEI/0s/4J1h0By6AjlPws5qeYSpbqR/bBwm9Dxj+H1UsS8qEThh6YTzBa
sGO+duIjzqUm6Sld4ZTwu8qdZvNshhFML757FZ0N04IuTJBbn2M7kyrSt+XtwOuD
CAuZ3AIuLj8G0dSLWatZFfV2jWq4PvhtvYkK0a6WRPc8mEAxUDGsmfYDmJj17Y3G
VX4GPe4zsgh78IJ9r31UaeUwLVZJgXGfFzZH0WeByR4mvRSrTvb0OcTsD9YVMiVg
idukmYD7UQw=
=JUxB
-----END PGP SIGNATURE-----