On March 1, 2022, octathe cloud-based identity management company, made a point of it. Okta’s revenue for fiscal 2022 had just come in and totaled $1.30 billion and was up 56% year over year. His clients included FedEx, Moody’s, T-Mobile, JetBlue and ITV, and that’s it Federal Risk and Authorization Management Program (FedRAMP) authorized. What could go wrong? We found out three weeks later.
The hacker group LAPSUS$ revealed they had breached Okta’s systems and showed screenshots to prove it. At telegram and Social Networks, LAPSUS$ mocked Okta, saying, “For a service that supports authentication systems for many of the largest companies (and has been approved by FEDRAMP), I think these security measures are pretty poor.”
Okta replied that there was little to see here:
In late January 2022, Okta discovered an attempt to compromise the account of an external customer service technician working for one of our sub-processors. The matter has been investigated and contained by the sub-processor. We believe the screenshots shared online are related to this January event.”
Okta concluded, “Based on our investigation to date, there is no evidence of ongoing malicious activity beyond that detected in January.”
Later that same day, Okta’s Chief Security Officer, David Bradbury, admitted: “After a thorough analysis of these claims, we have concluded that a small percentage of Customers – approximately 2.5% – are potentially affected and whose data may have been viewed or edited. We have identified these customers and have already contacted them directly via email.”
That doesn’t sound to me like the information you’d typically find on a third-party service technician’s laptop.
type of attack
Subsequently, Okta said that an attack on Okta did indeed occur via a Sitel Support engineer’s computer. the The attacker had started a Remote Desktop Protocol (RDP) session on the laptop. From there the The attacker used Okta’s customer service engineer super user Use. Despite the creepy name, Okta states that it only grants read access to some files. Of even greater concern, super users could reset passwords and multi-factor authentication (MFA). This is big bad news.
Sitel admitted there had been a security breach in January but did not confirm the exact details of the breach. Okta eventually admitted that the attacker may have had access to Okta’s data for five days.
Still, Okta insists that while data could have been collected, such as Jira Tickets and user lists had no impact on Auth0, HIPAA, or FedRAMP customers.
However, Okta admits that since the company had known about the potential security invasion since January, it really should have notified its customers at the time. Instead, the company waited until the LAPSUS$ fox revealed to the world that he had been to the Okta chicken house.
Worse than initially admitted
Now the attack appears to have been even worse than Okta first admitted. Independent security researcher Bill Demirkapi tweeted, LAPSUS$ created “backdoor users in Sitel’s environment after retrieving an Excel document with the conspicuous title “DomAdmins-LastPass.xlsx”
Yes, that’s more of a big red flag.
Demirkapi asks the very good questions: “My questions for Okta: You knew that one of your account executives’ machines were compromised back in January. Why didn’t you examine it? The ability to detect an attack is useless if you’re not prepared to respond to it.” And even when Okta got the Mandiant [security incident] March report explicitly describing the attack, They continued to ignore the obvious signs that those around them were being hurt until LAPSUS$ spotlighted their inaction
He doesn’t let go of Sitel either. “Why weren’t your customers informed immediately? at the first sign of compromise? Why did your customers have to wait two months to even know you were injured?”
All good questions and there are no good answers.
As for LAPSUS$? British police have arrested a 16-year-old boy in Oxford and six other teenagers and young people for standing behind the group. Apparently, they had used simple social engineering to break into companies employing helpdesk staff. You also seriously advertised for people willing to compromise their companies.
Once inside, as Demirkapi pointed out, “used standard tools from GitHub for most of their attacks.”
So it seems that this large cybercrime group is just a step ahead of the script kiddies in their technical expertise.
However, this sets them apart from other groups. A company like Okta and its partners, working with security aspects as important as enterprise single sign-on (SSO), obviously need to improve their own security better. A security chain is only as secure as its weakest link.
Okta and the company also need to get better at being more transparent with their customers. If there’s even a chance that user credentials are compromised, customers need to be kept informed. It’s that simple. Nobody likes to admit security flaws, but waiting until a vulnerability is exploited will only make you look worse.
Featured image via Pixabay.