Shares in identity and access management company Okta Inc. dropped today as it provided more details about the company’s data breach, as the mastermind behind the Lapsus$ ransomware gang that had taken credit for the data breach was reported to be a 16-year-old boy from the U.K.
As reported yesterday, both Okta and Microsoft Corp. were targeted by Lapsus$. In Okta’s case, screenshots of internal Okta information were shared on Telegram late Monday.
Okta has confirmed that there was a breach and Chief Security Officer David Bradbury has shared a full rundown of what occurred, including a complete timeline of what happened and when.
Bradbury went through when Okta first became aware of a compromise and the story starts on Jan. 20 at 11:18 p.m. The company received an alert that a new factor was added to a Sitel Group employee’s Okta account from a new location. Sitel is one of several companies that Okta employees as a “sub-processor” to provide customer support.
Within 28 minutes of the initial alert, the change of details was escalated to a security incident. By 12:28 a.m. Jan. 21, the Okta service desk terminated the user’s Okta sessions and suspended the account. Later the same day, Okta shared the details with Sitel, which then said it had retained outside support from a leading forensics firm.
The forensics firm delivered a report to Sitel on March 10, with a summary report sent to Okta on March 17. Then, things took a turn, as Lapsus$ shared screenshots on March 22. Sitel then delivered the full report to Okta later the same day.
Following the back and forth, Okta ascertained that the screenshots had been taken from a Sitel support engineer’s computer. The engineer’s computer had been remotely accessed by an attacker using remote desktop protocol. Okta noted that though the attacker never gained access to Okta itself via account takeover, the computer logged into Okta was compromised and hence obtained screenshots and controlled the machine through the RDP session.
“I am greatly disappointed by the long period of time that transpired between our notification to Sitel and the issuance of the complete investigation report,” Bradbury wrote. “Upon reflection, once we received the Sitel summary report we should have moved more swiftly to understand its implications.”
Though unconfirmed, Bloomberg reported that cybersecurity researchers investigating a string of hacks linked to Lapsus$ believe that the mastermind of the operation is a 16-year-old living at his mother’s house near Oxford, England.
The teen, who goes by the name of both “White” and “breachbase” online, was not named in the Bloomberg report, but his name is widely available online. Arion Kurtaj was linked to the sale of public text dumping site Doxbin in November, a deal that subsequently fell through. The owners and administrators of Doxbin later claimed that Kurtaj stole control of the Doxbin Discord and then leaked the user database in an act of retribution, according to Bank Info Security.
Though Bloomberg said the fact that researchers have “traced” Lapsus$ to Kurtaj was breaking news, the allegation that Kurtaj is the mastermind of Lapsus$ was posted to Doxbin on Jan. 8.
Discussing the broader hack, Ido Safruti, co-founder and chief technology officer at application protection firm PerimeterX Inc., told SiliconANGLE that the incident is another reminder of software supply chain risks, in particular that a compromise or vulnerability in a third-party piece of code could potentially lead to severe consequences.
“We strongly advise organizations to ask themselves whether they have the tools and capabilities to notice and take action on changes, potential risks and anomalies in their supply chain, and analyze the behavior of users on their website,” Safruti said. “Using a multitiered approach that looks at the entire attack lifecycle from data theft and harvesting, through validation and then account fraud, can provide indications of account takeover activity, and prevent it regardless of the method the attacker used to get in.”
Keith Neilson, technical evangelist at cyber asset management company CloudSphere, noted that malicious actors such as Lapsus$ are finding unique ways to avoid deploying true ransomware by instead infiltrating systems, stealing data and, in turn, leveraging that data to blackmail their victims.
“Given this attack tactic, businesses across all industries should prioritize managing access control through cyber asset management,” Neilson said. “When companies leverage a cyber asset management strategy, they not only gain comprehensive visibility of all cyber assets in the attack surface, but also have the ability to establish and enforce security guardrails to detect potential risks in real time.”
Okta shares fell almost 11% in regular trading.