Okta has admitted it ‘made a mistake’ by not notifying customers sooner of a January security breach in which hackers gained access to a customer service engineer’s laptop. ‘a third.
On March 22, the Lapsus$ group posted screenshots of Okta’s systems, taken from the laptop of a Sitel customer service engineer, which the hackers gained remote access to on January 20.
“We recognize that we made a mistake. Sitel is our service provider for which we are ultimately responsible. As of January, we did not know the extent of Sitel’s problem – only that we had detected and prevented an account takeover attempt and that Sitel had retained the services of a third-party forensic firm to investigate. . At that time, we did not recognize that there was a risk to Okta and our customers. We should have more actively and forcefully demanded information from Sitel,” Okta confesses in an FAQ published last Friday under the title “Why didn’t Okta inform its customers in January?”
366 customers affected
On January 20, Okta noticed an attempt to access its network directly using the account of a Sitel employee. It is detected and blocked by the company, which then notifies Sitel. Other than this access attempt, there is no other evidence of suspicious activity on Okta’s systems, the company said.
Okta is a leading provider of enterprise access management software. According to the company, only 366 customers, or about 2.5% of its customer base, were affected. However, it has been questioned why customers were not made aware of the incident sooner.
In its FAQ, Okta explains: “In light of the evidence we have gathered over the past week, it is clear that we would have made a different decision had we been in possession of all the facts we have today. ‘today’.
The company provided a detailed timeline of events from January 20 – when it received an alert that a new factor had been added to a Sitel employee’s Okta account – until March 22, when Lapsus$ posted the screenshots.
Another story
Sitel hired a survey company to investigate the intrusion on January 21, and the investigation was concluded on February 28. According to articles published by TechCrunch and Wired, this company would be Mandiant, the threat analysis company recently acquired by Google. Part of this report has also been communicated to the journalists of the two publications.
According to Wired, the intrusion into Sitel’s internal network actually dates back to January 16: the company detected a security incident on a computer network belonging to one of its subsidiaries, Sykes, on that date. The attackers would then have taken advantage of this initial access to move within the infected network and back up into the Sitel network.
Among the elements mentioned by the report, the authors indicate that the attackers notably accessed on January 21 an Excel spreadsheet whose name is “DomAdmins-LastPass.xlsx”. According to TechCrunch, this would correspond to an export of domain administrator passwords made from the Lastpass application.
Five hours after accessing this archive, the attackers created a new administrator account on the network, allowing them to retain access to it even if the account initially used by the attackers was reset.
A minimized security incident
The report also indicates that Sitel communicated to its customers on January 25 to inform them of a possible security incident. Wired notes that Sitel seems to have minimized the impact of this intrusion by indicating in particular that it did not detect any indicator of compromise or malware on its network.
The expert report submitted to Sitel is dated March 10. Okta received a summary of it on March 17, according to the shared timeline.
After the screenshots were released, Okta Chief Security Officer David Bradbury said he was “disappointed with the delay between our notification to Sitel and the publication of the full investigation report.”
Source: ZDNet.com