Lapsus$ Attack on Okta: How to Evaluate the Impact to your Organization>
ZScalar Blog – Deepen Desai, Dhaval Parekh
The Zscaler Security team has developed a Security Operations Center (SOC) playbook for identity (IDP) providers, giving our security analysts and researchers fast track access to threat identification and remediation at the user level. Suspicious behaviors trigger a security action workflow: for example, moving a user to a higher-access security group, changing multi-factor authentication methods, or other anomalous and potentially dangerous user behaviors.

A review of IDP logs for indicators of compromise associated with this attack should include the following steps: Review Okta admin/super admin account audit logs. Review cloud admin/super admin account audit logs. Review all executive accounts including MFA method changes. Review new Okta account creations and compare against employee onboarding. Review full Okta config to check for API access, logging configs, etc. Identify Okta accounts where MFA was disabled from January 1, 2022 to March 22, 2022. Identify the user and root cause of the disablement. Re-enable MFA for those accounts. Reset password for Okta admins. Reset 2-factor authentication for Okta superadmins. Rotate Okta-generated API tokens. Verify Okta Support access is disabled. Verify Directory Debugger access is disabled. Review all critical users’ access levels.

SOC Detection Rules for Okta

MFA Deactivation Attempt

MFA Reset Attempt

MFA Push Brute Force Attempt

MFA Bypass Attempt

Account Login Brute Force Attempt

User Session Impersonation

Group Administrative Privilege Assignment

User Administrative Privilege Assignment

Policy Rule Modification

Policy Rule Deletion

Policy Rule Deactivation
Link: https://www.zscaler.com/blogs/security-research/lapsus-attack-okta-how-evaluate-impact-your-organization