Lapsus $’s Okta Hack … a real walk in the park

Outsourcing part of your information system is not always a good idea, especially if the security of a third party company is poor. Hacking Okta will, in this perspective, become a textbook case. We already know that Lapsus $ hackers have set foot on the platform through Sitel, an Okta subcontractor. Security Analyst Bill Demigabi has now received a Sitel-appointed forensic report from Mandiant and a breach notice sent by the company to its clients and associates.

This announcement was shared with Wired and TechCrunch. Indicates that hackers had early access through a VPN gateway provided by Sykes, a subsidiary acquired in 2021. Hackers were able to steal the user’s access to this network service. You can read the sequence of events in the forensic report released by Bill Demigaby on Twitter. We found out that it was a real walk in the park.

The first link was added on January 16th and the last on January 21st. In between, the hackers progressed step by step, but without really worrying about operational security. Thus, they used the Internet connection of the compromised workstations to download the hacking tools they needed on GitHub. Download and run Process Explorer and Process Hacker software to detect and disable local FireEye security software. They downloaded and operated Mimikatz software to collect authenticated tokens stored locally and increase their access privileges. This allowed them to access other machines in the network.

In one machine – the stroke of luck – they found an Excel sheet with administrator passwords! It was data export from Lastpass Password Manager. Using this information, hackers were able to quietly create their own admin account, after which they could log in. In other words, it was a backdoor. The journey ended unhindered by enforcing the rule of sending certain email accounts to accounts controlled by hackers. Being informed is always good.

After looking at these documents, Bill Demicopy places his finger on the sore spot. Why didn’t Okta start an investigation immediately in January? Why did he not move even after receiving Saital’s forensic report in March? Why are Sitel customers not notified immediately? These embarrassing questions obviously did not please Zoom, his boss, who asked him to withdraw his tweets. He was fired because he did not want to accept this condition.

proof’s: Wired, Tech Crunch