Has an independent security researcher Posted The alleged detailed timeline for a third-party octa provider’s Lapsus $ breach in January, produced by a forensic firm investigating the incident, is known as Mandiant.
Researcher Bill Demirkapi said he had obtained copies of the Mandiant report on the breach, and posted a timeline of the report on Twitter today.
VentureBeat has reached out to Okta, Mandiant and third-party support provider, Sitel. Octa admitted receiving a request from VentureBeat and did not immediately dispute the documents. Mandiant declined to comment, and did not dispute the documents or his involvement in the Lapse Violation investigation.
Last Tuesday, Octa revealed that the hacker group Lapsus $ had access to Sitel Customer Support Engineer’s laptop during January 16-21, giving the threatening actor access to up to 366 Octa customers. The incident was revealed by Okta only after Lapsus પોસ્ટ posted a screenshot on the telegram as evidence of the violation.
Octa said it received a summary report on the incident from Seattle on March 17.
Inside Tweet“Even when Octane received a mandate report in March showing clear details of the attack, LAPSUS $ continued to ignore clear indications that their environment had been violated until they focused on their inaction,” Demirkapi said.
The alleged mandiant timeline begins Jan. 16, with Sitel’s initial settlement. This is in contrast to the timeline provided by Okta, which starts on January 20 and does not include any details about what happened before that point.
According to the timeline posted by Demirkapi, Lepso $ did not begin investigating the compromise system until January 19.
That day, the intimidating actor searched Bing for privileged escalation tools on GitHub, the alleged mendicant timeline says. “With a little respect for OPSEC, LAPSUS શોધ searched for CVE-2021-34484 bypass on their compromised host and downloaded a pre-built version from GitHub,” Demirkapi said. Tweet,
Demirkapi said the threatening actor “simply bypassed the FireEye endpoint agent,” then “just downloaded the official version of Mimikatz (a popular credential dumping utility) directly from his store,” Demirkapi said.
The attackers created backdoor users in Seattle’s environment and ended their attack by creating a malicious ’email transport rule’ to forward all mail in Seattle’s environment to their own account, “Demirkapi wrote in a tweet.
One of the top questions for Okta is, “Did you know that one of your customer support member’s machines was tampered with in January?” Why didn’t you investigate? The ability to detect an attack is useless if you are not prepared to respond, “Demirkapi said on Twitter.
‘Made a mistake’
On Friday, Octa apologized for handling the January breach. The identity security vendor “made a mistake” in its response to the incident and should have “more proactive and forcefully mandatory information” about what happened in the breach, the company said.
The apology follows a discussion in the cyber security community about the lack of an octa disclosure for the two-month-old incident. An Octa statement on Friday refrained from saying that the company believes it should disclose what it has learned.
However, Octa said that Seattle’s support engineers have “limited” access, and that third-party support engineers cannot create users, delete users, or download customer databases.
“We are confident in our conclusion that the Octa service has not been breached and no corrective action needs to be taken by our customers,” Octa said on Friday. “We are confident in this conclusion because Sitel (and therefore the threatening actor who only had access to Sitel) was unable to create or delete users or download the customer database.”
Earlier this month, Google announced a 5.4 billion deal to acquire the leading cyber event response firm, Mandiant.
Venturebeat’s mission Digital Town Square is set to become a place for technical decision makers to gain knowledge about the changing enterprise technology and practices. Learn more