Okta says security protocols limited hacking, but response was too slow

After the disclosure of a hack affecting its authentication platform, Okta argued that the effects of the breach were mostly contained by security protocols and reiterated that users of the service do not need to take action. corrections accordingly.

The statements were made by David Bradbury, chief security officer at Okta, during a video call with customers and the press on Wednesday morning.

On Monday, hacking group Lapsus$ released footage showing the group had compromised Okta’s internal systems, putting thousands of businesses that rely on the authentication tool on high alert.

“Sharing these screenshots is an embarrassment to me and the entire Okta team,” Bradbury said at the start of the call. “Today I want to give my perspective on what happened and where we are with this investigation.”

During a ten-minute briefing, Bradbury said hackers compromised Okta’s systems by remotely accessing a machine belonging to an employee of Sitel, a company contracted to provide customer service functions to Okta. Using a remote desktop protocol, hackers were able to enter commands into the compromised machine and view monitor output, allowing them to take screenshots, Bradbury said.

None of Okta’s systems were directly hacked, the CSO said, but Sitel’s support engineer’s machine was connected to Okta when it was compromised and remained so from the date of compromise from January 16 until Okta’s security team became aware of it and suspended the account in January. 21st.

However, due to the use of least privilege access protocols – in which a network user is only allowed to perform the minimum set of actions necessary for their job – hackers were limited in what they could access through a support engineer’s account, which led Okta to state that no corrective action was required from users of the service.

Details of the breach were compiled by a forensic investigation firm that was hired shortly after the unauthorized access was discovered, but the full report was only recently provided to Okta, according to Bradbury. .

“I am very disappointed with the lengthy period between our initial notification to Sitel in January and the release of the full investigation report just hours ago,” Bradbury said.

While the impacts of the breach appear to be less severe than initially feared, the Lapsus$ hacker group emerges as a prolific and persistent threat, having mounted confirmed hacks against a number of major tech companies and claimed responsibility. other incidents that have not yet taken place. was actually attributed to the group.

On Tuesday — the same day the Okta hack was confirmed — Lapsus$ also released stolen source code for Microsoft’s Bing and Cortana products, obtained through the compromise of an employee’s account.

Graphics card maker Nvidia was also hacked by the group in late February and the credentials of its employees were leaked online. In a similar time frame, Lapsus$ claimed responsibility for a breach by South Korean tech giant Samsung in which the source code for Galaxy devices was obtained, and also implied that the group was responsible for a “cybersecurity incident” affecting game developer Ubisoft.

Security professionals view the group as a sophisticated and versatile threat actor and advise potential targets to proactively guard against methods of compromise.

“This group’s ‘all-inclusive’ approach to targeting its victims with ransomware, SIM swapping, exploits, dark web reconnaissance and reliable phishing tactics shows the focus and open toolkit used to achieve its goals,” said Mark Ostrowski, engineering manager at Check. Stitch software. “Companies and organizations around the world should focus on educating their users about these tactics, deploying prevention strategies in all aspects of their cybersecurity programs, and inventorying all access points looking for weaknesses. potential.”

Source link