March 24, 2022

Okta Shares Investigation Update – 2022-03-24

Industry: Technology / Level: Tactical / Source: Okta Blog

Okta provided an update on the company blog regarding their security breach by Lapsus$. Okta’s forensic investigation affirms the activity originated from a business solution company named, Sitel and their acquired company, Sykes. The screenshots shared from Lapsus$ are determined to have been obtained through remote desktop (RDP) access to a Sitel support engineer’s workstation. Despite the support engineer’s privileges identified as “SuperUser,” Okta emphasizes the role “has limited to basic duties in handling inbound support queries.” The forensic investigation conducted by Sitel and a third-party-security firm, extensively reviewed activity from “January 16-21, 2022 when the threat actor had access to the Sitel environment.” From Okta, their investigation was triggered from an event on January 20, 2022, at 23:18 UTC with an alert for “a new factor was added to a Sitel employee’s Okta account from a new location.” The associated Okta account was contained by Okta on January 21st, 2022 at 00:18 UTC. An incident timeline has been provided by Okta (below) dating the notable events from January 20th, 2022 to March 22nd, 2022 with Lapsus$ claiming a breach via screenshot.

Timeline (times in UTC and shared from Okta)

  • January 20, 2022, 23:18 – Okta Security received an alert that a new factor was added to a Sitel employee’s Okta account from a new location. The target did not accept an MFA challenge, preventing access to the Okta account.
  • January 20, 2022, at 23:46 – Okta Security investigated the alert and escalated it to a security incident.
  • January 21, 2022, at 00:18 – The Okta Service Desk was added to the incident to assist with containing the user’s account.
  • January 21, 2022, at 00:28 – The Okta Service Desk terminated the user’s Okta sessions and suspended the account until the root cause of suspicious activity could be identified and remediated.
  • January 21, 2022, at 18:00 – Okta Security shared indicators of compromise with Sitel. Sitel informed us that they retained outside support from a leading forensic firm.
  • January 21, 2022, to March 10, 2022 – The forensic firm’s investigation and analysis of the incident was conducted until February 28, 2022, with its report to Sitel dated March 10, 2022.
  • March 17, 2022 – Okta received a summary report about the incident from Sitel
  • March 22, 2022, at 03:30 – Screenshots shared online by LAPSUS$
  • March 22, 2022, at 05:00 – Okta Security determined that the screenshots were related to the January incident at Sitel
  • March 22, 2022, at 12:27 – Okta received the complete investigation report from Sitel

Detection Use Cases:

  • Okta: Security Threat Detected
  • Okta: API Token Created
  • Okta: User/Group Privilege Grant
  • Okta: Application Modified or Deleted
  • Okta: Update or Delete sign on policy
  • Okta: MFA Reset or Deactivated
  • Okta: Policy Modified or Deleted
  • Okta: Policy Rule Modified or Deleted
  • Okta Multiple signins from Same IP address
  • Okta Impossible Travel Sign-In
  • Okta: Auth from Suspicious Country
  • Okta: Profile Updated
  • Okta: User Created