Okta compromised by vendor vulnerabilities – Security

A leaked post-mortem report has revealed that the high-profile breach of security and authentication provider Okta happened due to serious vulnerabilities at one of the company’s third-party providers.

Chief among these flaws appears to be a Microsoft Excel spreadsheet named “DomAdmins-LastPass.xlsx” that the Lapsus$ attacker found on a computer system at Sykes Enterprises, owned by Sitel and providing outsourced customer support for Okta.

LastPass is a popular password manager, and the filename suggests that the credentials stored in the authentication software may have been exported to an Excel spreadsheet.

The table’s filename is contained in documents prepared by Mandiant and posted on social media by obnoxious security researcher Bill Demirkapi.

Also the documents to pretend to show that the Lapsus$ hacker used the credentials to create backdoor users in Sitel’s IT environment.

Demirkapi notes that the Mandiant documents show that Lapsus$ began investigating the computer it compromised on January 19 of this year “with little regard for OPSEC.”

The Lapsus$ hacker used off-the-shelf tools from the Github open-source code repository for most of their attacks, such as Process Hacker and Process Explorer, which were used to bypass the FireEye endpoint security agent by terminating it.

After the FireEye agent was terminated, the hacker used the Mimikatz tool to issue system credentials to additional systems.

Lapsus$ also set up email forwarding for all messages within Sitel to accounts controlled by the attacker.

Sitel discovered the hack on January 21 and reset passwords for the entire company to secure their systems.

However, it appears that Lapsus$ had access to Sitel systems for five days starting January 21st.

Okta has confirmed the breach, admitting that up to 366 enterprise customers were affected, but not notifying them until March 22, U.S. time, after receiving Sitel’s Mandiant report.

The authentication company has admitted it made a mistake by not notifying customers in January because it did not know the extent of Sitel’s problem.

“In January, we didn’t know the extent of the Sitel problem – only that we had detected and prevented an account takeover attempt and that Sitel had hired a third-party forensic firm to investigate,” Okta said in an FAQ.

“At the time, we didn’t realize there was a risk to Okta and our customers. We should have been more active and vigorous in enforcing information from Sitel.

“Given the evidence we have gathered over the past week, it is clear that we would have made a different decision if we had had all the facts we have today.”

City of London Police have arrested seven people, aged between 16 and 21, suspected of being members of the hacking group Lapsus$.

https://www.itnews.com.au/news/okta-compromised-by-suppliers-security-lapses-578005?utm_source=feed&utm_medium=rss&utm_campaign=iTnews+ Okta compromised by vendor vulnerabilities – Security

Jessica MacLeish

InternetCloning is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – admin@internetcloning.com. The content will be deleted within 24 hours.

Related Articles

Back to top button