March 29, 2022

Okta Data Breach Update

Industry: Technology | Level: Tactical | Source: Okta

Okta provides an update on the company blog regarding their security breach by Lapsus$. The Okta’s forensic investigation affirms the activity originated from a business solution company named, Sitel and their acquired company, Sykes. The screenshots shared from Lapsus$ are determined to have been obtained through remote desktop (RDP) access to a Sitel support engineer’s workstation. Despite the support engineer’s privileges identified as “SuperUser,” Okta emphasizes the role “is limited to basic duties in handling inbound support queries.” The forensic investigation conducted by Sitel and a third-party security firm extensively reviewed activity from “January 16-21, 2022 when the threat actor had access to the Sitel environment.” From Okta, their investigation was triggered from an event on January 20, 2022, at 23:18 UTC with an alert for “a new factor was added to a Sitel employee’s Okta account from a new location.” The associated Okta account was contained by Okta on January 21st, 2022 at 00:18 UTC. An incident timeline has been provided by Okta (below) dating the notable events from January 20th, 2022 to March 22nd, 2022 with Lapsus$ claiming a breach via screenshot.

  • Anvilogic Scenarios:
    • Okta Suspicious Login then Priv Esc and AOO
    • Okta Suspicious Login then Account Manipulation
  • Anvilogic Use Cases:
    • Okta: Security Threat Detected
    • Okta: API Token Created
    • Okta: User/Group Privilege Grant
    • Okta: Application Modified or Deleted
    • Okta: Update or Delete sign on policy
    • Okta: MFA Reset or Deactivated
    • Okta: Policy Modified or Deleted
    • Okta: Policy Rule Modified or Deleted
    • Okta Multiple signins from Same IP address
    • Okta Impossible Travel Sign-In
    • Okta: Auth from Suspicious Country
    • Okta: Profile Updated
    • Okta: User Created