Okta admits the Lapsus$ hack that hit service providers and customers

Okta reports making a mistake over the breach notifications

Lapsus$ hackers continue hitting large networksOkta claims to made mistakes in the breach incident and reaction, reporting of the problem

The company says it was not okay to stay silent about the breach that took place in January. New reports and documents show that the company was not urgent to inform about the Lapsus$ hacker group breach.[1] The company denied various reports and hacker involvement after their own responsibility addition last week.[2] However, findings now show the timeline of the events fully and broke down all the events.

Reportedly the hacker gang managed to breach the system of a third-party provider linked to the incident in late January with Okta systems.[3] Various documents, screenshots, and reports detail the infiltration. Okta admits that trusting the service provider and expecting that everything about the account takeover is known was a mistake.

The customer service provider for Okta, Sitel hired a company called Mandiant to investigate the intrusion and the security breach. The report shows that the claim about not possible account takeover is not true and that the attack affected at least 2.5 percent of the customers. It is equivalent to 366 customers in total. Okta even published a FAQ to answer all the questions about the security incident.

The five-day window for the incident

The incident occurred on January 16 and 21. The group attacked in phases and managed to gain privileged access to the systems after gaining the initial foothold. Persistence was maintained, and lateral movement occurred, ending in internal reconnaissance of the network.[4]

Okta reported the compromise indicators and concerns with the Sitel company on January 21st. Sitel hired a forensic company to investigate the breach, and the report was concluded on February 28th. The full report was received on March 17th. A few days after that, the Lapsus$ hacker group members themselves shared details about the compromise indicating their responsibility.

The incident reaction timeline detailed[5] by Bill Demirkapi and his documents show the mistakes Okta has made:

Even when Okta received the Mandiant report in March explicitly detailing the attack, they continued to ignore the obvious signs that their environment was breached until LAPSUS$ shined a spotlight on their inaction

Hackers published Bing and Cortana source code, confirming the Microsoft breach

Microsoft had to confirm that that system was breached by the Lapsus$ hacker group when the torrent file with partial source code from Bing, Bing Maps, Cortana got published. The single employee account was compromised by the hackers, according to the social statement.[6] This was the method for attackers to gain access to systems and steal the source code of the company.

The official reports state that no customer data got accessed or affected in any way. The compromised account was quickly remediated, and further access to important systems were prevented. It was stated that this incident does not create any security risk because viewing source code is not leading to issues with security.

Hacker tactics and techniques got published after this incident, due to the MSTIC observations during the attack investigations. These findings show that particular targets of the group are organizations in South America, the UK. Hackers typically target government institutions, companies in the telecom, media, retail, and healthcare or technology sectors. However, no details on the particular compromise of Microsoft accounts got revealed.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions

References
Files
Software
Compare