Okta says document ‘appears’ to be part of Lapsus$ infringement report

We’re excited to bring Transform 2022 back in person on July 19 and virtually July 20 – August 3. Join AI and data leaders for insightful conversations and exciting networking opportunities. Learn more

Okta has said a supposedly leaked timeline for the January Lapsus$ breach, which may have affected up to 366 Okta customers, appears to be part of the report on the incident.

During the Jan. 16-21 breach, the hacker group Lapsus$ had access to the system of a support engineer at Sitel, a third-party Okta service provider, Okta said.

On Twitter Monday, independent security researcher Bill Demirkapi Posted a two-page “break-in timeline” for the incident.

In the wake of the January break-in, Sitel hired a cyberforensics firm to investigate the incident. Demirkapi identified the forensic firm as Mandiant.

In response to a VentureBeat inquiry into Demirkapis afterOkta has not disputed the authenticity of the documents.

“We are aware of the public disclosure of what appears to be part of a report Sitel prepared regarding the incident,” Okta said in a statement provided to VentureBeat on Monday.

The contents of the documents are “consistent” with the timetable for the infringement previously disclosed by Okta, the company said.

Mandiant declined to comment and Sitel did not respond to a request for comment.

The January breach was only disclosed by Okta last Tuesday, after Lapsus$ posted screenshots to Telegram as evidence of the breach.

Okta said it received a summary report on the incident from Sitel on March 17.

“Okta is strongly committed to the safety of our customers,” the company said in a statement to VentureBeat on Monday. “When we received this summary report from Sitel on March 17, we should have acted faster to understand its implications. We are determined to learn from this incident and improve.”

New details

The Mandiant timeline shared by Demirkapi starts on January 16, with Sitel’s first compromise.

The detailed timeline previously posted by Okta starts on January 20 and does not detail what happened before that point.

Okta has said it could not provide details of the incident before January 20 – when the company was first notified of the attack – because it had no evidence of the hacker group’s activities until the January 20 warning.

The document shared by Demirkapi traces the threat actor’s activities from initial compromise, to privilege escalation, to lateral movement and internal reconnaissance, to establishing a foothold in the system. The document states that the attacker completed a “complete mission” on January 21.

On Friday, Okta apologized for handling the January breach. The identity security provider “made a mistake” in its response to the incident and “should have been more active and forceful in enforcing information” about what happened in the breach, the company said.

The apology followed a debate in the cybersecurity community over Okta’s lack of disclosure of the two-month-old incident. Friday’s Okta statement didn’t stop saying that the company believes it should have disclosed what it knew earlier.

However, Okta has said that Sitel’s support engineers have “restricted” access and that third-party support engineers cannot create users, delete users, or download customer databases.

“We are confident in our conclusions that the Okta service has not been breached and that our customers do not need to take corrective action,” Okta said Friday. “We are confident in this conclusion because Sitel (and thus the threat actor who only had the access Sitel had) was unable to create or delete users, or download customer databases.”

VentureBeat’s mission is to be a digital city square for tech decision makers to learn about transformative business technology and transactions. Learn more

This post Okta says document ‘appears’ to be part of Lapsus$ infringement report

was original published at “https://venturebeat.com/2022/03/28/okta-says-document-appears-to-be-part-of-report-on-lapsus-breach/”