Identity provider Okta, which thousands of companies worldwide use to give employees access to systems, ignored signals that their environment had been compromised, security researcher says Bill Demirkapic based on research documents from security company Mandiant. Demirkapi shared the documents via Twitter.
Recently, attackers from the Lapsus$ group posted screenshots to the Internet showing that they had access to an Okta support representative’s account, including resetting passwords. On March 22, Okta issued a four-line statement that a support engineer’s account had been compromised and the screenshots shown were related. Furthermore, Okta appeared to be a minor incident that was under control.
No further details were given. Later that day, Okta issued an additional statement that 366 customers may have been affected by the attack. Despite the potential impact, Okta argued that customers were not required to take corrective action. Internet company Cloudflare, which was one of the affected customers, did take action and reset the passwords of employees.
On March 25, Okta published a timeline showing that the company discovered the compromised account on January 20. However, customers were not warned for two months. On March 17, Okta received the report from the third party for whom the support engineer works. This company, Sitel, provides customer support for Okta. Still, customers were still not warned. Only after the attackers published the screenshots did the identity provider come out with a statement to customers.
The attackers said in a response to the statement that the impact is much greater than Okta suggests. For example, they say they could have reset the passwords and multi-factor authentication of 95 percent of the customers. In addition, the compromised support engineer would have access to 8600 Slack channels. Okta’s statements were also strongly criticized from other quarters.
The documents Demirkapi shared via Twitter shows how the attackers went about their business, using out-of-the-box tools from GitHub for the majority of their attacks. In addition, the attackers found an Excel document called “DomAdmins-LastPass.xls” that allowed them to add backdoor users to Sitel’s environment. Furthermore, the attackers added forwarding rules so that email to certain accounts was forwarded to them.
“You knew that a machine from one of your customer support providers was compromised in January. Why didn’t you investigate this?” Demirkapi asks Okta. The researcher adds that the ability to detect an attack is meaningless if left unresponsive. “Even when Okta received the Madiant report in March detailing the attack, they ignored signs that their environment had been compromised until Lapsus$ put their inactivity in the spotlight.” In an FAQ about the incident, Okta said it made a mistake by failing to warn customers in January.