Okta says Lapsus$ incident was actually a brilliant zero trust demonstration

Once former supplier Sitel coughed up its logs, it became apparent the attacker was hemmed in

Okta has completed its analysis of the March 2022 incident that saw The Lapsus$ extortion crew get a glimpse at some customer information, and concluded that its implementation of zero trust techniques foiled the attack.

So said Brett Winterford, Asia-Pacific and Japan chief security officer of the identity-management-as-a-service vendor, at the Gartner Risk and Security Summit in Sydney today.

Winterford explained that the incident started in January when an Okta analyst observed a support engineer at Sitel – Okta's (former) outsourced customer service provider – attempted to reset a password to Okta's systems but did so from outside the expected network range and did not attempt to fulfil a multifactor authentication challenge. That request sent the reset email to a Sitel email address managed under Microsoft 365 and was made with the attacker's own kit. That last item was highly unusual. Okta can see authentication requests made using the VMs Sitel used to provide support services. But Okta cannot see inside Sitel's MS365.

Okta therefore suspended the user and inquired about any issues at Sitel, which admitted to compromise of an Active Directory account.

"We initially took their word that this compromised account had been contained very quickly, and that there was zero impact to Okta or its customers," Winterford recalled.

Once Lapsus$ published its screenshots, Okta came to feel that there was more to the incident than had first been apparent.

In Winterford's telling, further analysis revealed that after the attacker failed with their attempt to compromise a Sitel worker with the password reset attempt , they kept trying and found a thin client solution on Sitel's network.

"This thin client solution had been configured to allow remote sessions to be monitored by administrators on that network, to the degree that they could also interact with the mouse and keyboard of that remote session if they chose," Winterford explained, adding that the screenshots Lapsus$ published showed the thin client environment. "We now assess that the threat actor must have compromised this thin client environment in some way and was able to covertly monitor the remote sessions of site or staff and potentially use the remote control capability of that tool."

The actor was able to view and interact with apps that the legitimate support engineer had already authenticated to – but couldn't just take over, as that would be an obvious red flag.

We took Sitel's word the compromised account had been contained very quickly.

Okta's assessment is that when a support engineer stepped away from their desk, leaving the session connected to Okta's support environment accessible, the threat actor took the screenshots Lapsus$ published.

"They were able to view and interact with that [thin client] session for about 25 minutes," Winterford explained. "During those 25 minutes, they ran searches in our customer support tool that returned results to your customers. And we can see from our logs that the threat actor clicked on a few features in the customer support tool, none of which really furthered their position."

"They tried to access the admin console of one customer, but that would have required the consent in the admin console of that customer from their administrator, so that was unsuccessful," he added.

"They could potentially have done password and MFA resets, but they would have had to have access to the target inbox of the user that they were resetting."

"They also tried to open other applications from the Okta dashboard, but that didn't work for them either."

"So basically, you've got a threat on the site or network for five or six days undetected until they tried to leverage that position to compromise Okta. And then in a bit of a last ditch scramble they've found a workaround and they've tried for 25 minutes to abuse that position and not been particularly successful."


Lapsus$ extortionists dump Samsung data online, chaebol confirms security breach


Winterford asserted that the event shows that zero trust security – and Okta's implementation of it – worked.

Multifactor authentication repelled the attack and prevented takeover of the Sitel engineer's Okta account, then the customer support tool required extra authentication to access tools that would have allowed the attacker to work with more privileges than those afforded to an outsourced support engineer.

"The threat actor couldn't really successfully perform any configuration changes or MFA or password resets and finally, when the threat actor opened the Okta dashboard to try and access more applications, they were presented with a step up authentication they were unable to bypass."

"Within a few hours of those screenshots, we double- and triple-checked our authentication logs," Winterford said. "There'd been no password or MFA recent events" or other activity Okta felt indicated the attack had gone any further than shoulder surfing the thin client session.

Okta shared its own logs with customers that the support engineer could conceivably have viewed. Winterford said customers were satisfied they had been safe.

Sitel took "about two weeks" to produce its logs of the thin client environment.

"With those logs in hand, we could very quickly wrap up the investigation," Winterford said.

Okta was not satisfied with Sitel's actions and has parted ways with the company over the incident, but does not blame Sitel for the incident.

The identity management vendor has made other changes, too. Its new support crew uses Okta-managed devices – an arrangement Winterford said is expensive but necessary. It's intended to give the company confidence that it has the observability needed to detect and prevent future incidents – and to do so inside eight hours, rather than the two to three weeks it took to unpick the Lapsus$ incident.

Changes to incident response are also in the works. Winterford said Okta acknowledges its initial response to Lapsus$'s allegations made it possible to conclude Okta was not taking responsibility for the situation.

On the contrary, Winterford said, Okta's position is "we 100 percent own this, irrespective of any commercial relationships with our suppliers." ®

Broader topics

Other stories you might like

  • Zero Trust: What does it actually mean – and why would you want it?
    'Narrow and specific access rights after authentication' wasn't catchy enough

    Systems Approach Since publishing our article and video on APIs, I’ve talked with a few people on the API topic, and one aspect that keeps coming up is the importance of security for APIs.

    In particular, I hear the term “zero trust” increasingly being applied to APIs, which led to the idea for this post. At the same time, I’ve also noticed what might be called a zero trust backlash, as it becomes apparent that you can’t wave a zero trust wand and instantly solve all your security concerns.

    Zero trust has been on my radar for almost a decade, as it was part of the environment that enabled network virtualization to take off. We’ve told that story briefly in our SDN book – the rise of microsegmentation as a widespread use-case was arguably the critical step that took network virtualization from a niche technology to the mainstream.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Zscaler bulks up AI, cloud, IoT in its zero-trust systems
    Focus emerges on workload security during its Zenith 2022 shindig

    Zscaler is growing the machine-learning capabilities of its zero-trust platform and expanding it into the public cloud and network edge, CEO Jay Chaudhry told devotees at a conference in Las Vegas today.

    Along with the AI advancements, Zscaler at its Zenith 2022 show in Sin City also announced greater integration of its technologies with Amazon Web Services, and a security management offering designed to enable infosec teams and developers to better detect risks in cloud-native applications.

    In addition, the biz also is putting a focus on the Internet of Things (IoT) and operational technology (OT) control systems as it addresses the security side of the network edge. Zscaler, for those not aware, makes products that securely connect devices, networks, and backend systems together, and provides the monitoring, controls, and cloud services an organization might need to manage all that.

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading
  • Carnival Cruises torpedoed by US states, agrees to pay $6m after wave of cyberattacks
    Now those are some phishing boats

    Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks.

    A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.

    It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.

    Continue reading
  • $6b mega contract electronics vendor Sanmina jumps into zero trust
    Company was an early adopter of Google Cloud, which led to a search for a new security architecture

    Matt Ramberg is the vice president of information security at Sanmina, a sprawling electronics manufacturer with close to 60 facilities in 20 countries on six continents and some 35,000 employees spread across the world.

    Like most enterprises, Sanmina, a big name in contract manufacturing, is also adapting to a new IT environment. The 42-year-old Fortune 500 company, with fiscal year 2021 revenue of more than $6.76 billion, was an early and enthusiastic adopter of the cloud, taking its first step into Google Cloud in 2009.

    With manufacturing sites around the globe, it also is seeing its technology demands stretch out to the edge.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • OpenSSL 3.0.5 awaits release to fix potential worse-than-Heartbleed flaw
    Though severity up for debate, and limited chips affected, broken tests hold back previous patch from distribution

    The latest version of OpenSSL v3, a widely used open-source library for secure networking using the Transport Layer Security (TLS) protocol, contains a memory corruption vulnerability that imperils x64 systems with Intel's Advanced Vector Extensions 512 (AVX512).

    OpenSSL 3.0.4 was released on June 21 to address a command-injection vulnerability (CVE-2022-2068) that was not fully addressed with a previous patch (CVE-2022-1292).

    But this release itself needs further fixing. OpenSSL 3.0.4 "is susceptible to remote memory corruption which can be triggered trivially by an attacker," according to security researcher Guido Vranken. We're imagining two devices establishing a secure connection between themselves using OpenSSL and this flaw being exploited to run arbitrary malicious code on one of them.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • Start using Modern Auth now for Exchange Online
    Before Microsoft shutters basic logins in a few months

    The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.

    In an advisory [PDF] this week, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) noted that while federal executive civilian branch (FCEB) agencies – which includes such organizations as the Federal Communications Commission, Federal Trade Commission, and such departments as Homeland Security, Justice, Treasury, and State – are required to make the change, all organizations should make the switch from Basic Authentication.

    "Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth," CISA wrote. "After completing the migration to Modern Auth, agencies should block Basic Auth."

    Continue reading

Biting the hand that feeds IT © 1998–2022