This Tuesday, March 22, just after 4 p.m., the committee says Ticket $ On his Telegram channel, he reported a cyber attack against Okta and shared 8 screen shots in support of his claims. After the start of crisis communication for less difficult ones, the publisher tries to reassure his customers as much as possible.
Okta Security Manager David Bradbury said Multiplied Releases and organized a conference through Zoom this Wednesday, March 23rd, without acknowledging a single violation by the publisher.
Screen shots published by Lapsus $ suggest that an attacker “gained remote access via RDP” to a workstation, and in particular Sitel, the subcontractor – or Sykes’ support engineer he purchased. From there, the attacker was able to use the internal Okta application Super user. But according to Okta, it “does not provide ‘god-level’ access’ to all of its users”: “An application developed on the basis of a minimum privilege policy to ensure that support engineers have the specific access required to perform their duties, they cannot create or delete users by their client. Databases cannot be downloaded and they cannot access our source code repositories, ”says David Bradbury.
In fact, it all started on January 20th. On this date, Okta’s security team receives a warning: someone is trying to add “new MFA factor to Sitel customer support engineer’s Okta account”. The attempt failed, but the account was reset and notified to the contractor. All of this takes place at one-hour intervals, at midnight. Okta announces to the site after 5 p.m.
But the incident did not seem to worry more than Okta. Third parties are investigating Sitel until February 28, 2022. Its report is dated March 10th. A week later, Okta only receives a “summary” report. Following Lapsus $’s claims, the publisher received the full report by March 22.
David Bradbury says he was “disappointed” all the time between the announcement of the site and the submission of the full investigation report. According to him, Okta has yet to respond “after receiving the summary statement”. But the publisher must have put more pressure on the subcontractor since the initial announcement
The timeline provided by David Bradbury raises further questions: Why did Labs $ wait two months to make its claims? Is it completely coincidental that the date selected by the committee was five days after the summary investigation report was submitted to the OCTA? The first question from Microsoft seems very reasonable Indicated Lapsus $ was found to be “joining calls and internal discussion forums (slog, groups, telecommunications, etc.) to understand incident response workflows”.
Okta is not only an essential leader in access management in the Gardner Magic Quadrant: rapid research suggests that its solutions be used by many companies and administrations around the world, such as Engie, Rapid7, Concur, Backmarket or Deloitte, Blablacar. And Emeris.
David Bradbury confirms that Sitel is examining traces of staff activity Posts, “To determine if the maximum potential impact is 366 customers”, or 2.5% on its installed site. This does not indicate the nature of the potential impact. But by the time they can access the Lapsus $ support engineer position between January 16 and 21, it means that the customers involved will “receive a report showing the actions taken by Sitel on their Okta lessee”. Last.