Enlarge image
Okta: "Heavily disappointed"
Photo: DADO RUVIC / REUTERS
What is the plural form of lapsus – lapsus$?
The hacker group of the same name, which is said to be led by a 17-year-old from near Oxford, has recently made a name for itself with spectacular break-ins into the systems of large IT companies: Microsoft, Vodafone, Ubisoft, Samsung, Nvidia, LG - and Okta .
Of the above, Okta is probably the least known of the general public, but the company has a special role: Okta provides a so-called single sign-on solution for thousands of other companies and government agencies.
That means employees can log into their company services through Okta.
And it means every lapse by Okta is a potential security risk for all these companies and government agencies.
In fact, Sitel, one of Okta's service providers, allowed itself several lapsuses - that's the correct plural - and thus made it easy for Lapsus$ to find their way into their own and subsequently Okta's systems.
This is documented by documents published by the independent security researcher Bill Demirkapi and reported on by Wired and TechCrunch, among others.
They don't explain all the details of the hack, but they do illustrate the consequences of a software supply chain attack -- and how crude it needs to be to have serious consequences.
Hackers use standard tools
At the center is an »intrusion timeline«, a timeline of the hack that was created by the security company Mandiant or is based on their data.
According to this timeline, the break-in began on January 16 at 00:33 UTC (01:33 German time), with the perpetrator or perpetrators only becoming really active several days later.
On March 19, they logged on to a Sitel employee's laptop using RDP (Remote Desktop Protocol).
RDP is remote maintenance software that shows users the graphical interface of a remote PC on their own device as if they were sitting directly in front of it.
And Sitel is a data processor for Okta, employees have access to multiple applications on Okta's systems for their support work.
It has not yet been clarified where the perpetrator or perpetrators got the access data for RDP access to the laptop.
But as soon as they were logged in, they used the Sitel employee's computer, without any attempt at disguise, to use Microsoft's Bing search engine to search for sample code for exploiting a security hole that had been known since August.
This gap makes it possible to obtain further access rights.
The perpetrator or perpetrators found the necessary code on GitHub, the code-sharing platform that Microsoft has owned since 2018, and executed it on the compromised laptop.
In the next step, they used Bing to look for the open source programs Process Explorer and Process Hacker, which work like a kind of extended task manager.
They used these programs to disable FireEye's security software on the Sitel laptop—which is supposed to stop hacker threats.
They were then able to download and install Mimikatz, a well-known and also open-source tool for extracting credentials.
Mimikatz is used by administrators who want to check their own systems for vulnerabilities, by security experts for penetration tests - and by criminals.
A few hours later, they found the DomAdmins-LastPass.xlsx file on the laptop.
Apparently, the Sitel employee had exported a list of administrator passwords from his password manager and saved it unsecured.
Anyone who acts in this way can also save themselves a password manager or password safe.
With the new access data, the perpetrator or perpetrators created their own admin account and set a new e-mail rule.
It said that all mail from Sitel employees is forwarded to themselves.
Potential access to hundreds of Okta customers
Access to the Sitel laptop ended on January 21st.
Two months later, Lapsus$ released several screenshots from Okta's internal systems.
Okta had known the details of the Sitel incident for four days but had not informed its customers.
Okta had known that something had happened at Sitel since January 20, i.e. while the attack was still ongoing.
However, neither company seemed to want to fully inform their respective customers about their findings.
Neither Okta nor Sitel responded to recent inquiries from "TechCrunch".
Okta's chief of security last released a statement on March 23.
In it he said he was "very disappointed" about the slow flow of information from Sitel to his company and admitted that they should have reacted more quickly.
In the worst case, Lapsus$ was able to exploit its access opportunities with 366 Okta customers.
So it wouldn't be a surprise if it turns out that some of the recent Lapsus$ hacks were made possible by the Okta hack.
It is currently uncertain whether there will be further Lapsus$ attacks.
Last Friday, British police temporarily arrested several people between the ages of 16 and 21 as part of "an investigation into a hacking group".
However, the problem of
supply chain attacks
will not disappear as a result.
