Outsourcing part of your information system is not always a good idea, especially if the security level of the third-party company is poor. Hacking Okta will probably, from this point of view, become a textbook case. We already knew that the Lapsus$ hackers had gained a foothold in the platform through Sitel, an Okta subcontractor. Security researcher Bill Demikapi has now got his hands on a forensic report Sitel commissioned from Mandiant, as well as the breach notification the company sent to its customers and partners.
This notification was shared with Wired and TechCrunch. It indicates that the hackers’ initial access was through a VPN gateway from Sykes, a subsidiary acquired in 2021. It is likely that the hackers managed to steal a user’s access to this network service. The sequence of events can be read in the forensic report that Bill Demikapi published on Twitter. We discover that it was a real walk in the park.
The first connection was made on January 16 and the last on January 21. In between, the hackers proceeded methodically, step by step, but without really bothering with operational security. Thus, they used the Internet connection of the compromised workstations to download, as they went, the hacking tools they needed on GitHub. They downloaded and ran Process Explorer and Process Hacker software to identify local FireEye security software and disable it. They also downloaded and ran Mimikatz software to collect locally stored authentication tokens and increase their access privileges. This allowed them to access other machines on the network.
On one of the machines – stroke of luck – they discovered an Excel sheet with administrator passwords! It was obviously an export of data from the LastPass password manager. Using this information, the hackers were apparently able to quietly create their own administrator account, which they could log into later. In other words, it was a backdoor. The journey ended without a hitch with the implementation of a rule for forwarding certain email accounts to hacker-controlled accounts. It’s always good to be informed.
Also see video:
At the sight of these documents, Bill Demikapi puts his finger where it hurts. Why didn’t Okta immediately launch an investigation in January? Why didn’t he even move after he got Sitel’s forensic report in March? Why were Sitel customers not immediately informed? These embarrassing questions obviously did not please Zoom, his employer, who asked him to withdraw his tweets. As he did not want to comply with this requirement, he was fired.
Sources: Wired, TechCrunch