Posted on March 30, 2022 at 3:28 AM
Okta Says It Was Wrong With Approach To The Lapsus$ Hacking Incident
Following the latest hacking incident by the Lapsus$ hacking group on identity management platform Okta, the company has come out to say it goofed regarding its handling of the hacking report.
This comes after an independent security researcher shared what seems to be a detailed timeline of events that occurred leading to the exposure of the leaked data by Lapsus$.
Okta Was Breached Through A Third-Party Firm
Bill Demirkapi published a timeline of the events on a two-page document and shared it on Twitter. According to the researcher, the document was published by Mandiant, the security firm that investigated the incident.
In the week the Lapsus$ first revealed that it compromised the accounts of Okta via one of the firm’s third parties, organizations and customers are scrambling to know the true impact of the hack. The impacted third party, Sykes Enterprises (operated by Sitel), confirmed last week that it was a victim of a hacking incident in January 2022. However, the latest leaked document about the breach notification showed a detailed timeline of the breach from January 25.
The Leaked Documents Placed Doubts On Sykes’ Security System
The documents released have now cast doubts over the strength of Sykes’ security defense system before the hacking incident. They also highlighted loopholes in Okta’s response to the hack. The documents were obtained by independent security researcher Bill Memirkapi, but Okta has Sykes has declined any further comment on the matter.
In a recent statement, Okta stated that it is aware of the leaked documents of what seems to be a report prepared by Sitel regarding the incident. The company added that the content of the document is consistent with the series of events regarding the hacking incident.
However, Okta admitted that it should have acted swiftly to understand the implications of the report after receiving it on March 17. “We are determined to learn from and improve following this incident,” the company stated.
Okta Owns Up To Its Poor Handling Of The Situation
Okta said it delayed taking appropriate and quick action after receiving the report on the hacking incident before the Lapsus$ group published the breach on March 21.
Okta sat on the report for four days before being taken unawares when the hackers published screenshots claiming they had breached Okta, taking the information public in the process.
The lack of action by Okta put many users at risk of being exploited since they were not warned to prepare for the release of their information online. Okta has even been blamed for the attacker’s swift action to release details of the breach online. Earlier, the company said it was not breached, assuring users and clients that their data is safe. But the latest data exposure by the threat actor has proven Okta wrong.
And the “intrusion timeline” will be very shocking for a company as reputable as Okta which holds important files for thousands of organizations. “The attack timeline is embarrassingly worrisome for the Sitel group,” Demirkapi stated. He added that the threat actors did not bother to maintain any serious level of operational security. According to Okta, the maximum potential impact of the breach is 3606 customers.
Observers Fault Okta’s Security System
According to the timeline, which was based on the data collected by Mandiant security firm, the Lapsus$ group used a very popular and widely available hacking tool to compromise Sitel’s servers.
They used a password-grabbing tool like Mimikatz to infiltrate Sitel’s systems. From the beginning, the threat actors penetrated the system and disabled security scanning tools, giving them wider access to other areas on the server. As a result, the security systems were not able to flag off the hacking tools sooner to alert Sitel.
The timeline also indicated that the threat actors initially penetrated Sykes on January 16 before ramping up their attack on January 19 and 20. The attacker’s last login to the system was on January 21, which they called a “Complete Mission.” It means that the attackers planted their tools in the system and collected all the relevant data they need before finally leaving the system without detection.
As a result, the security system of Sykes has been criticized, with many questioning why a company with so many resources will be using a light security system.