Sitel is said to be the third party responsible for the recent security incident suffered by Okta.
This Wednesday, David Bradbury, head of security at Okta, said on this subject that the incident was “a source of embarrassment for myself and the entire Okta team”.
Screenshots of the intrusion
As a reminder, the cybercriminal group Lapsus$ published screenshots earlier this week that seem to indicate that it has gained access to “Okta.com Superuser/Admin and various other systems”. Following this incident, the authentication services company announced that an internal investigation was underway.
According to Okta, the intrusion could have taken place within a window of five days. “The forensic firm’s report highlighted that there was a window of five days, between January 16 and January 21, 2022, during which cyberattackers had access to the Sitel environment, which we validated with our own analysis,” says David Bradbury.
According to him, a customer service engineer’s laptop was the source of the intrusion, and the device was “owned and managed by Sitel”. Sitel is an Okta contractor.
Remote access
David Bradbury said the attackers used remote desktop protocol (RDP) to access the laptop.
To explain what happened, Okta’s security manager used the analogy of a user “walking away from his computer in a coffee shop”, and a “stranger who sits ( virtually in this case) in front of his machine, using the mouse and the keyboard”.
“So while the attacker never gained access to the Okta service via account takeover, a machine that was connected to Okta was compromised and they were able to obtain screenshots and control the machine via the RDP session,” he adds.
Attempt to hijack multi-factor authentication
After analyzing 125,000 login entries, the company says up to 366 customers may have been impacted.
An alert was issued on January 20 that a new multi-factor authentication addition was “attempted” on Sitel’s support engineer account. David Bradbury claims that after “a few minutes” the Okta sessions were terminated, pending an investigation. However, it clarifies that the “attempt” to register a new device for multi-factor authentication “failed”.
A day later, indicators of compromise (IoCs) were shared by Okta with Sitel, who also engaged investigative assistance. Okta later received a summary of the incident, but the full report wasn’t released until yesterday.
“Severely limited” access
David Bradbury wanted to reassure users: the “Superuser” mode displayed on the screenshots does not allow “divine” access. In other words, support engineers can only use their accounts for “basic tasks and handling incoming support requests”.
Therefore, he explains that, even if the cyberattackers had access to the Sitel environment, they were “heavily limited”. And to add that “we believe that no corrective action should be taken by customers”.
However, for the sake of “transparency”, affected customers will receive an incident report. Which, according to the security manager, “will only strengthen our commitment to security”.
“We will continue to work tirelessly to ensure that you have a reliable and secure Okta service,” he adds.
Sitel’s reaction
“Following a security breach that occurred in January 2022 affecting parts of Sykes’ network, we took prompt action to contain the incident and protect all potentially affected customers,” a carrier told ZDNet. word of Sykes, of the Sitel group.
The latter adds that action has been taken by the group’s security and technology teams around the world, and that a “global cybersecurity leader has been engaged to carry out an immediate and full investigation into the matter”.
“Following this investigation, as well as our continuous assessment of external threats, we are convinced that there is no longer a security risk,” he reassures.
Source: ZDNet.com