Lapsus$ has exaggerated the scale of the access to Okta

Authentication firm Okta has reached out to all 366 customers potentially affected by the recent breach. Lapsus$ extortion group had access to the support engineer’s computer for five days in January.

On March 22, Lapsus$ shared a number of screenshots that seemed to be of Okta’s internal system. According to Okta, screenshots were taken from a computer used by Okta third-party customer Sitel’s support engineers. Sitel is an Okta sub-processor that provides Okta with contract workers for our Customer Support organization.

“The sharing of these screenshots is embarrassing for myself and the whole Okta team,” Okta Chief Security Officer David Bradbury said.

Lapsus$ had access to the engineer’s computer for a period of five days between 16-21 January 2022.

“The scenario here is analogous to walking away from your computer at a coffee shop, whereby a stranger has (virtually in this case) sat down at your machine and is using the mouse and keyboard. So while the attacker never gained access to the Okta service via account takeover, a machine that was logged into Okta was compromised,” Bradbury said.

Lapsus$ was able to obtain screenshots and control the machine through the remote desktop protocol (RDP) session.

“We’ve spoken long and hard about the risks of RDP, with the exploitation of susceptible remote services representing one of the most common initial access used by both cybercriminals and nation-state-associated threat groups,” Senior Cyber Threat Intelligence Analyst at Digital Shadows Chris Morgan said.

The “superuser” application seen in the screenshots was used by support staff to handle most queries. It was not an administrator or superuser level of access to Okta’s organization.

Okta said there was a five-day window of time when the threat actor had access to the Sitel environment. It has determined that the maximum potential impact is 366 (approximately 2.5% of) customers whose Okta tenant was accessed by Sitel.

Meanwhile, Lapsus$ has suggested that they had maintained access for two months following 21 Jan 2022.

“Cybercriminal actors often conduct PR exercises in order to bolster their claims. For Lapsus$, this was highlighted by several of the group’s initial posts stating, “you have suffered from a ransomware attack,” Morgan said.

Digital Shadows emphasized that many researchers have included Lapsus$ in the spectrum of ransomware activity. However, Digital Shadows have not observed any ransomware used in Lapsus$ incidents.

“The initial suggestions of this malware type were likely made in order to increase the fear and pressure on targeted organizations. With Okta, it is realistically possible that Lapsus$ have exaggerated the scale of the access in order to bolster their claims or otherwise enhance their reputation,” Morgan said.

According to a recent Bloomberg report, four researchers investigating Lapsus$ have traced the attacks to a 16-year-old living at his mother’s house near Oxford, England. Another member of Lapsus$ is suspected to be a teenager residing in Brazil.