This is Mandiant’s timeline for the Okta Lapsus$ breach, according to a researcher

An independent security researcher has posted a purported detailed timeline for the Lapsus$ breach of a third-party Okta provider in January, produced by the forensic firm that investigated the incident, identified as Mandiant.

The researcher, Bill Demirkapi, said he had obtained copies of the Mandiant report on the breach, and posted the timeline from the report today on Twitter.

VentureBeat has reached out to Okta, Mandiant and the third-party support provider, Sitel. Okta acknowledged receiving the request from VentureBeat and did not immediately dispute the documents. Mandiant declined to comment, and did not dispute the documents or its involvement in the investigation of the Lapsus$ breach.

Last Tuesday, Okta disclosed that the hacker group Lapsus$ had accessed the laptop of a Sitel customer support engineer from January 16-21, giving the threat actor access to up to 366 Okta customers. The incident was only disclosed by Okta after Lapsus$ posted screenshots on Telegram as evidence of the breach.

Okta said it had received a summary report about the incident from Sitel on March 17.

In a tweet, Demirkapi said that “even when Okta received the Mandiant report in March explicitly detailing the attack, they continued to ignore the obvious signs that their environment was breached until LAPSUS$ shined a spotlight on their inaction.”

New details

The purported Mandiant timeline starts on January 16, with the initial compromise of Sitel. That’s in contrast the the timeline provided by Okta, which starts on January 20 and does not include any details about what happened prior to that point.

Lapsus$ did not begin investigating the compromised system until January 19, according to the timeline posted by Demirkapi.

On that day, the threat actor did a Bing search for privilege escalation tools on GitHub, the purported Mandiant timeline says. “With little regard for OPSEC, LAPSUS$ searched for a CVE-2021-34484 bypass on their compromised host and downloaded the pre-built version from GitHub,” Demirkapi said in a tweet.

The threat actor “bypassed the FireEye endpoint agent by simply terminating it,” then “simply downloaded the official version of Mimikatz (a popular credential dumping utility) directly from its repository,” Demirkapi said.

The attacker created backdoor users within Sitel’s environment and “finished off their attack by creating a malicious ’email transport rule’ to forward all mail within Sitel’s environment to their own accounts,” Demirkapi wrote in a tweet.

A top question for Okta is, “You knew that the machine of one of your customer support members was compromised back in January. Why didn’t you investigate it? Having the capability to detect an attack is useless if you aren’t willing to respond,” Demirkapi said on Twitter.

‘Made a mistake’

On Friday, Okta released an apology for its handling of the January breach. The identity security vendor “made a mistake” in its response to the incident, and “should have more actively and forcefully compelled information” about what occurred in the breach, the company said.

The apology followed a debate in the cybersecurity community over Okta’s lack of disclosure for the two-month-old incident. The Okta statement on Friday stopped short of saying that the company believes it should have disclosed what it knew sooner.

However, Okta has said that the support engineers at Sitel have “limited” access, and that third-party support engineers cannot create users, delete users or download databases belonging to customers.

“We are confident in our conclusions that the Okta service has not been breached and there are no corrective actions that need to be taken by our customers,” Okta said on Friday. “We are confident in this conclusion because Sitel (and therefore the threat actor who only had the access that Sitel had) was unable to create or delete users, or download customer databases.”

Earlier this month, Google announced a $5.4 billion deal to acquire Mandiant, a prominent cyber incident response firm.

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn More

Source

Follow me on Twitter:

Leave a Comment