Okta has released additional details about the security incident caused by the Lapsus$ gang, and has named the contractor involved: Sitel.
“Like many SaaS providers, Okta uses several companies (‘sub-processors’) to expand our workforce. These entities help us to deliver for our customers and make them successful with our products. Sitel, through its acquisition of Sykes, is an Okta sub-processor that provides Okta with contract workers for our Customer Support organization,” explained David Bradbury, Okta’s chief security officer.
He also provided a timeline of the incident, and said that it started on January 20 with an unsuccessful attempt to access a Sitel customer support engineer’s Okta account.
On January 21, “The Okta Service Desk terminated the user’s Okta sessions and suspended the account until the root cause of suspicious activity could be identified and remediated,” and on March 22, the company received a report of the investigation conducted by a forensic firm employed by Sitel.
The investigation revealed that the screenshots Lapsus$ made public” were taken from a Sitel support engineer’s computer that attackers managed to remotely access using RDP.
“The scenario here is analogous to walking away from your computer at a coffee shop, whereby a stranger has (virtually in this case) sat down at your machine and is using the mouse and keyboard. So while the attacker never gained access to the Okta service via account takeover, a machine that was logged into Okta was compromised and they were able to obtain screenshots and control the machine through the RDP session,” Bradbury said, but added that the access that support engineers have is limited to basic duties in handling inbound support queries, and that they can’t create or delete users, download customer databases, or access Okta’s source code repositories.
What should affected customers do?
“In trying to scope the blast radius for this incident, our team assumed the worst-case scenario and examined all of the access performed by all Sitel employees to the SuperUser application for the five-day period in question. Over the past 24 hours we have analyzed more than 125,000 log entries to ascertain what actions were performed by Sitel during the relevant period. We have determined that the maximum potential impact is 366 (approximately 2.5% of) customers whose Okta tenant was accessed by Sitel,” he added.
Affected customers will receive a report that shows the actions performed on their Okta tenant by Sitel during the 5-day period attackers had access to the machine, so they can check for themselves if they had been affected in any way.