ITP Techblog

Security vendors have for years now been telling us that a key aspect of keeping your network and data safe is having watertight digital identity controls.

But what if your digital identity provider gets hacked? That's the scenario thousands of companies are faced with as Okta, a San Francisco-based identity authentication software provider that has more than 15,000 clients around the world.

Okta claims that the "worst case" scenario is that 366 of them had their data accessed in cyber-attacks by the Lapsus$ ransomware group, alleged a South American based cyber gang known for aggressive extortion tactics.

The group recently claimed to have broken into the systems of Microsoft, displaying genuine-looking screenshots of source code for Microsoft's Bing search engine. Okta, in a series of blog posts, explained how the cyberattack happened.

Okta also received the screenshot treatment.

"On March 22, 2022, nearly 24 hours ago, a number of screenshots were published online that were taken from a computer used by one of Okta's third-party customer support engineers," Okta's chief security officer explained. 

"The sharing of these screenshots is embarrassing for myself and the whole Okta team." 

Screengrabs showed a SuperUser console used by Sitel engineers to access customer accounts

He goes on to explain that like many software as a service (SaaS) providers, Okta uses "sub-processors", third-parties companies, to "expand our workforce".

"Sitel, through its acquisition of Sykes, is an Okta sub-processor that provides Okta with contract workers for our customer support organization," writes Bradbury.

On January 20th, Okta's security team was alerted to the fact that a new password was added to a Sitel customer support engineer's Okta account. But the target did not accept a multifactor authentication challenge.

"Out of an abundance of caution, we reset the account and notified Sitel who engaged a leading forensic firm to perform an investigation," writes Bradbury.

But that investigation wasn't reported back to Sitel until March 10 and Okta itself didn't receive it until March 17.

"I am greatly disappointed by the long period of time that transpired between our notification to Sitel and the issuance of the complete investigation report," writes Bradbury. 

"Upon reflection, once we received the Sitel summary report we should have moved more swiftly to understand its implications."

It turns out that malicious actors had access to a Sitel engineer's computer from January 16 - 21.

"The scenario here is analogous to walking away from your computer at a coffee shop, whereby a stranger has (virtually in this case) sat down at your machine and is using the mouse and keyboard," Bradbury explains.  

"So while the attacker never gained access to the Okta service via account takeover, a machine that was logged into Okta was compromised and they were able to obtain screenshots and control the machine through the remote desktop protocol (RDP) session."

Gauging the blast radius

While the access to Sitel's systems was fairly low level - the hackers did not have the ability to download customer databases or access source code repositories, an analysis of 125,000 log entries showed that information relating to 366 Okta customers could have been accessed during the breach.

Bradbury expected Okta customers, including FedEx and Cloudflare, who use Okta digital identity accounts to control access to their systems, would want to do their own analysis of the potential threats posed by the breach.

So far, no sensitive customer data appears to have been published on the web, but the true extent of the security incident could become more apparent in the coming days.

Okta's security woes once again highlight the complexities of the software supply chain and the numerous potential points of failure that end users are likely oblivious to.