Access management company Okta reports the results of an investigation into hacking damage by the international hacker group 'LAPSUS $'



The international hacker group ' LAPSUS $ ' is known for hacking companies such as

NVIDIA , Samsung , and Microsoft , and in January 2022 hacked Okta , which provides access control services for companies. Is also known. Okta's response has been criticized as 'disregarding the damage,' but Okta has finally reported the final findings on this matter.

Okta Concludes its Investigation Into the January 2022 Compromise | Okta
https://www.okta.com/blog/2022/04/okta-concludes-its-investigation-into-the-january-2022-compromise/

Okta says Lapsus $ breach lasted 25 minutes, impacted two customers | VentureBeat
https://venturebeat.com/2022/04/19/okta-says-lapsus-breach-lasted-25-minutes-impacted-two-customers/

Okta Inc. Concludes Investigation of January Data Breach --MarketWatch
https://www.marketwatch.com/story/okta-inc-concludes-investigation-of-january-data-breach-271650406299

On March 22, 2022, a 'screenshot showing that you accessed Okta's internal control panel' posted on the Telegram channel by a member of LAPSUS $ appeared on SNS. In response to this tweet, Okta CEO Todd McKinnon confirmed the hack by saying, 'In late January 2022, we detected an attempt to compromise the account of a third-party customer support engineer who was a contractor.' However, Okta's chief security officer, David Bradbury, claimed that the service itself was not compromised and remained fully operational, with no serious damage. There were criticisms about these responses, such as 'Okta is trying to downplay the attack as much as possible' and 'Customers should be more vigilant.'

It turns out that the hacker group 'LAPSUS $' that has attacked many large companies and attracted attention has hacked the access management company Okta --GIGAZINE



In a blog on April 19, about a month after the hack was discovered, Bradbury said, 'We have completed the January 2022 investigation into third-party vendor infringement,' reporting the final findings. Did. The results of a series of surveys were conducted by 'an in-house security expert and a globally recognized cyber security company.'

According to Bradbury, the hack was made by a customer support engineer from a third-party vendor called 'Sitel.' At the start of the survey, hackers were alleged to have access to a total of 366 customer tenants over a five-day period from January 16th to 21st through a support engineer's account.

However, subsequent investigations revealed that the actual damage was much smaller than the worst possible initially expected. Specifically, hackers were able to control the support engineer's account only for about 25 minutes on January 21, and only two customer tenants had access, two affected. Bradbury explains that he contacts customers individually.

Regarding the actions taken by the hackers, 'Applications such as Slack and Jira displayed limited additional information that Okta's customer tenants could not perform.' 'Threat actors changed configurations, multi-factor authentication and password reset.' 'The threat actor couldn't authenticate directly to any Okta account,' he said, and the overall impact of the breach was greater than originally expected. I summarized that it was small.



Although the actual damage was small, Bradbury said, 'I understand that this kind of breach can seriously damage the trust of our customers and Okta,' and there is a problem with the series of actions. I admit that there was. As a result, it provided all potential victims with 'a final research report produced by a global cybersecurity forensic company' and 'Okta's security action plan to enhance third-party security.' I am saying.

In response to this incident, Okta decided to revise the security requirements for third-party contractors, adopt a zero-trust security architecture, and terminate the contract with the infringed contractor Sitel. That is.

in Security, Posted by log1h_ik