Okta, a prominent provider of authentication services, has identified security firm Sitel as a third-party entity involved in a critical security breach that occurred in late January. This incident permitted the LAPSUS$ extortion gang to gain unauthorized access to an internal account assigned to a customer support engineer. The breach potentially impacted about 2.5% of Okta’s corporate clientele, roughly translating to 366 customers.
On January 20, 2022, Okta’s Security team received alerts about the addition of a new authentication factor from a previously unseen location associated with a Sitel engineer’s Okta account. Chief Security Officer David Bradbury clarified that this added factor was a password, indicating a breach of access controls that merited further investigation.
The revelation comes in light of recent actions by the LAPSUS$ group, which shared screenshots of Okta’s internal applications just days ago. The hackers had established access to the company’s network for a five-day period from January 16 to 21, utilizing remote desktop protocol (RDP) until multi-factor authentication (MFA) alerts prompted a suspension of the compromised account.
While Okta initially characterized the event as a minor incident, LAPSUS$ rebutted this claim, accusing the company of misrepresentation. The group highlighted their access to Okta’s SuperUser portal, which they asserted allowed them to reset passwords and MFA settings for nearly 95% of Okta’s clients. Okta defended its use of the SuperUser designation, stating that it maintains a principle of least privilege, granting support personnel limited access pertinent to their roles.
Furthermore, Okta faced scrutiny for delays in informing affected customers. On January 21, the company shared indicators of compromise with Sitel, which then enlisted an unnamed forensic firm to conduct an investigation. A summary report regarding the incident was ultimately provided to Okta on March 17, leading Bradbury to express regret over the time taken to analyze its implications thoroughly.
Security expert Runa Sandvik argued that Okta’s assertion that “the service has not been breached” was misleading. He reiterated that the breach of a third-party vendor had indeed affected Okta and its customers, underscoring the complexities of supply chain security in the cybersecurity landscape.
Meanwhile, the LAPSUS$ group continues to carry out its campaign of infiltrations, having targeted various high-profile companies, including NVIDIA and Samsung. Analysts classify this group as a unique cybercriminal organization, employing mixed strategies such as SIM swapping and unpatched vulnerabilities to orchestrate attacks. Check Point, a cybersecurity firm, noted the group’s significant engagement with followers through channels like Telegram, where they even solicit input on future targets.
In an intriguing turn, reports have emerged suggesting that a 16-year-old living in Oxford, England, could potentially be behind the LAPSUS$ operations. This individual, along with others, allegedly played a role in previous attacks, including a breach of Electronic Arts (EA). The activities associated with LAPSUS$ exemplify a growing trend of youth involvement in high-stakes cybercrime.
As this situation unfolds, business owners should remain vigilant regarding third-party access to sensitive systems. Leveraging frameworks like the MITRE ATT&CK Matrix can provide insight into the tactics and techniques that may have been employed in this breach, such as initial access from compromised credentials and subsequent privilege escalation through the exploitation of privileged-access accounts. Awareness and preparedness remain critical elements in safeguarding against similar incidents.
