September 28, 2022
An independent security researcher has shared what's an in-depth timeline of events that transpired as the notorious LAPSUS$ extortion gang got into a third-party service provider linked to the cyber incident at Okta in late January 2022. In a set of screenshots published on Twitter, Costs Demirkapi released a two-page "intrusion timeline" apparently prepared by…

An independent security researcher has shared what’s an in-depth timeline of events that transpired as the notorious LAPSUS$ extortion gang got into a third-party service provider linked to the cyber incident at Okta in late January 2022.

In a set of screenshots published on Twitter, Costs Demirkapi released a two-page “intrusion timeline” apparently prepared by Mandiant, the cybersecurity company hired by Sitel to examine the security breach. Sitel, through its acquisition of Sykes Enterprises in September 2021, is the third-party company that offers client support on behalf of Okta.

The authentication providers exposed last week that on January 20, it looked out to a brand-new element that was contributed to a Sitel customer assistance engineer’s Okta account, an effort that it said was successful and blocked.

The occurrence just came to light 2 months later on after LAPSUS$ posted screenshots on their Telegram channel as evidence of the breach on March 22. The malicious activities, which offered the risk star access to nearly 366 Okta clients, took place over a five-day window in between January 16 and 21, during which the hackers carried out various phases of the attack, including privilege escalation after acquiring an initial foothold, preserving perseverance, lateral motion, and internal reconnaissance of the network.

Okta claimed that it had actually shared signs of compromise with Sitel on January 21 and that it received a summary report about the event from Sitel only on March 17. Subsequently, on March 22, the exact same day the criminal group shared the screenshots, it said it got a copy of the total examination report. Consequently, on March 22, the very same day the criminal group shared the screenshots, it got a copy of the complete examination report.”Even when Okta received the Mandiant report in March explicitly detailing the attack, they continued to ignore the apparent signs that their environment was breached till LAPSUS$ shined a spotlight on their inaction,”Demirkapi wrote in a tweet thread. The San Francisco-based company, in a detailed frequently asked question published on March 25, acknowledged that its failure to inform its users about the breach in January was a”mistake.””Due to the evidence that we have actually gathered in the last week, it is clear that we would have made a various choice if we had been in belongings of all of the facts that we have today,”Okta stated, adding it”should have more actively and powerfully forced info from Sitel. “The advancement comes as the City of London Authorities informed The Hacker News last week that seven individuals linked to the LAPSUS$ gang were apprehended and subsequently released under examination.”Our enquiries stay ongoing,”the firm included. Source