Lapsus$ hackers exploited Okta supplier's security lapses

A leaked post mortem report has revealed that the high-profile compromise of security and authentication provider Okta took place because of serious security lapses at one of the company's third-party service providers.

Chief among these lapses appears to be a Microsoft Excel spreadsheet named "DomAdmins-LastPass.xlsx" which the Lapsus$ attacker found on a computer system at Sitel-owned Sykes Enterprises, which provides outsourced customer support for Okta.

LastPass is a popular password manager, and the file name indicates that credentials stored in the authentication software may have been exported to an Excel spreadsheet.

The file name of the spreadsheet is contained in documents prepared by Mandiant that were posted by offensive security researcher Bill Demirkapi on social media.

The documents also purport to show that the Lapsus$ hacker used the credentials to create backdoor users in Sitel's IT environment.

Demirkapi notes that the Mandiant documents show that Lapsus$ started reconaissance on the computer it had compromised on January 19 this year, "with little regard for OPSEC".

The Lapsus$ hacker used off-the-shelf tools from open source code repository Github for most of their attacks, such as Process Hacker and Process Explorer, which were used to bypass the FireEye endpoint security agent by terminating it.

After the FireEye agent was terminated, the hacker used the Mimikatz tool to dump systems credentials for further systems.

Lapsus$ also set up email forwarding for all messages within Sitel, to accounts controlled by the attacker.

Sitel discovered the hack on January 21, and reset passwords for the entire company in an effort to secure their systems.

It appears however that Lapsus$ had access to Sitel systems for five days starting January 21.

Okta has confirmed the breach, and admitted that up to 366 corporate customers were affected by it but did not alert them until March 22 United States time, after receipt of the Mandiant report from Sitel.

The authentication company has acknowledged it made a mistake by not notifying customers in January, saying it didn't know the extent of the Sitel issue.

"In January, we did not know the extent of the Sitel issue – only that we detected and prevented an account takeover attempt and that Sitel had retained a third party forensic firm to investigate," Okta said in an FAQ.

"At that time, we didn’t recognise that there was a risk to Okta and our customers. We should have more actively and forcefully compelled information from Sitel.

"In light of the evidence that we have gathered in the last week, it is clear that we would have made a different decision if we had been in possession of all of the facts that we have today."

City of London Police have arrested seven people aged between 16 and 21, suspected of being members of the Lapsus$ hacking group.