By: Ravie Lakshmanan
Authentication services provider Okta on Wednesday named Sitel as the third-party linked to a security incident experienced by the company in late January that allowed the LAPSUS$ extortion gang to remotely take over an internal account belonging to a customer support engineer.
The company added that 366 corporate customers, or about 2.5% of its customer base, may have been impacted by the “highly constrained” compromise.
“On January 20, 2022, the Okta Security team was alerted that a new factor was added to a Sitel customer support engineer’ Okta account [from a new location],” Okta’s Chief Security Officer, David Bradbury, said in a statement. “This factor was a password.”
The disclosure comes after LAPSUS$ posted screenshots of Okta’s apps and systems earlier this week, about two months after the hackers gain access to the company’s internal network over a five-day period between January 16 and 21, 2022 using remote desktop protocol (RDP) until the MFA activity was detected and the account was suspended pending further probe.
Although the company initially attempted to downplay the incident, the LAPSUS$ group called out the San Francisco-based company for what it alleged were lies, stating “I’m STILL unsure how it’s a [sic] unsuccessful attempt? Logged in to [sic] the SuperUser portal with the ability to reset the Password and MFA of ~95% of clients isn’t successful?”
Contrary to its name, SuperUser, Okta said, is used to perform basic management functions associated with its customer tenants and operates with the principle of least privilege (PoLP) in mind, granting support personnel access to only those resources that are pertinent to their roles.
Okta, which has faced criticism for its delay in notifying customers about the incident, noted that it shared indicators of compromise with Sitel on January 21, which then engaged the services of an unnamed forensic firm that, in turn, went on to carry out the investigation and share its findings on March 10, 2022.
According to a timeline of events shared by the company, “Okta received a summary report about the incident from Sitel” last week on March 17, 2022.
“I am greatly disappointed by the long period of time that transpired between our notification to Sitel and the issuance of the complete investigation report,” Bradbury said. “Upon reflection, once we received the Sitel summary report we should have moved more swiftly to understand its implications.”
“If you’re confused about Okta saying the ‘service has not been breached,’ remember that the statement is purely a legal word soup,” security researcher Runa Sandvik said on Twitter. “Fact is that a third-party was breached; that breach affected Okta; failure to disclose it affected Okta’s customers.”
A 16-year-old behind LAPSUS$?
The security breaches of Okta and Microsoft are the latest in a rampage of infiltrations staged by the LAPSUS$ group, which has also hit high-profile victims like Impresa, NVIDIA, Samsung, Vodafone, and Ubisoft. It’s also known for publicizing its conquests on an active Telegram channel that has over 46,200 members.
Cybersecurity firm Check Point described LAPSUS$ as a “Portuguese hacking group from Brazil,” with Microsoft calling out its “unique blend of tradecraft” that involves targeting its victims with SIM swapping, unpatched server flaws, dark web reconnaissance, and phone-based phishing tactics.
“The real motivation of the group is still unclear however, even if it claims to be purely financially motivated,” the Israeli company said. “LAPSUS$ has a strong engagement with their followers, and even posts interactive polls on who their next unfortunate target should be.”
But in an interesting twist, Bloomberg reported that “a 16-year-old living at his mother’s house near Oxford, England” might be the brains behind the operation, citing four researchers investigating the group. Another member of LAPSUS$ is suspected to be a teenager living in Brazil.
What’s more, the alleged teen hacker, who goes by the online alias “White” and “breachbase,” may also have had a role in the intrusion at game maker Electronic Arts (EA) last July, going by cybersecurity expert Brian Krebs’ latest report detailing the activities of a core LAPSUS$ member nicknamed “Oklaqq” aka “WhiteDoxbin.”
“Back in May 2021, WhiteDoxbin’s Telegram ID was used to create an account on a Telegram-based service for launching distributed denial-of-service (DDoS) attacks, where they introduced themself as ‘@breachbase,'” Krebs noted. “News of EA’s hack last year was first posted to the cybercriminal underground by the user ‘Breachbase’ on the English-language hacker community RaidForums, which was recently seized by the FBI.”