Thursday, March 28

Independent Researcher Reveals How LAPSUS$ Hacked Okta



An independent security researcher identified as Bill Demirkapi has shared a detailed timeline of events when the notorious LAPSUS$ extortion ring broke into a third-party vendor linked to the Okta cyber incident in late January 2022.

In a set of screenshots posted on Twitter, Demirkapi leaked a detailed two-page timeline of the intrusion, allegedly prepared by Mandiant, the cybersecurity company Sitel hired to investigate the security breach. Sitel is the third-party provider that handles customer support on behalf of Okta.

Sitel revealed last week that on January 20 it was alerted that “a new factor” had been added to the account of its customer support engineer servicing Okta, an attempt it said had been blocked.

The incident did not come to light until two months later, on March 22, when LAPSUS$ posted screenshots on its Telegram channel as proof of the breach.

The malicious activities, which gave the attacker access to nearly 366 Okta clients, occurred over a five-day period between January 16 and 21, during which the hackers carried out different phases of the attack, including escalating privileges after gaining an initial foothold, maintaining persistence, lateral movement, and internal network recognition.

Okta states that he only received a summary report on the incident from Sitel on March 17. Later, on March 22, the same day the criminal group shared the screenshots, the affected company obtained a copy of the full investigation report.

“Even when Okta received the report from Mandiant in March explicitly detailing the attack, they continued to ignore the obvious signs that their environment had been breached until LAPSUS$ made their inaction apparent,” Demirkapi wrote in a Twitter thread.

Also Read  Felix Magath and Scottish sidekick Fotheringham 'jolt' Hertha into life | Bundesliga

LAPSUS$ used publicly available tools downloaded from GitHub to facilitate its attack, according to the Mandiant report, including Mimikatz – a popular tool for harvesting credentials on Windows machines.

LAPSUS$ was able to simply download Mimikatz, which has been used in high-profile cyberattacks like NotPetya, from its official GitHub page and run it after disabling FireEye endpoint protection.

The San Francisco-based company, in a detailed FAQ posted on March 25, acknowledged that its failure to notify its users about the breach in January was a “mistake.”

“In light of the evidence we have gathered in the last week, it is clear that we would have made a different decision had we been in possession of all the facts that we have today,” Okta said.







diarioti.com

Leave a Reply

Your email address will not be published. Required fields are marked *