I admit that I didn’t pay a lot of attention when the Okta hack was first announced. On March 23, the Washington Post said:
In a detailed blog post (in
January, when the attack was discovered), (David) Bradbury (Okta
CSO) said Okta identified a potential security compromise in January. After
an investigation, it found that a hacker had obtained remote access to a
contractor’s computer. The hacker appears to have had access for five days.
“So while the attacker never gained
access to the Okta service via account takeover, a machine that was logged into
Okta was compromised and they were able to obtain screenshots and control the
machine through the (remote desktop protocol) session,” Bradbury wrote.
Customer service contractors cannot
download customer databases or access source code, he wrote.
Not too bad, right? A help desk
contractor’s machine was compromised while it was remotely logged into Okta’s network.
But a help desk contractor would presumably just have access to a trouble ticketing
system and maybe some support documentation – and the CSO himself says that
customer service contractors can’t access customer databases. No harm, no foul?
That would be a reasonable
conclusion to draw, even though Okta isn’t your run-of-the-mill say chicken
processor. They provide third party identity and access management services to thousands
of companies. Obviously, a company like that holds “keys to the kingdom” to their
customers’ networks, just like SolarWinds did (and still does). A real breach
might allow the attackers to penetrate lots of other customers. The SolarWinds
attackers (aka the Russian government, who showed great competence in that cyberattack.
However, it turns out those are the only types of attacks they’re good at,
which is good news for the rest of the world, but not such good news for my
Uncle Vlad)
But in January, Okta said there
hadn’t been any adverse consequences other than somebody being able to see screens
that a run-of-the-mill help desk contractor would see. The world moved on (if
it had even paused in the first place).
That is, until March 21, when,
according to a great
article in Wired,
ON MONDAY EVENING, the Lapsus$
digital extortion gang published a series of increasingly shocking posts in its
Telegram channel. First, the group dumped what it claims is extensive source
code from Microsoft's Bing search engine, Bing Maps, and Cortana virtual
assistant software. A potential breach of an organization as big and
security-conscious as Microsoft would be significant in itself, but the group
followed the post with something even more alarming: screenshots apparently
taken on January 21 that seem to show Lapsus$ in control of an Okta
administrative or “super user” account.
So now it seems this was a little
more than a compromise of some single-shingle help desk contractor somewhere,
where the prize was just some screenshots. This was a compromise of Okta itself,
which included access to a super user account; and the compromise started with
Sitel, a large company that provides customer support services to other
organizations. Since a super user can pretty much do what they want on the network,
including presumably getting into all customer accounts, perhaps this explains
how Lapsus$ was able to pull off some fantastic heists since December, as the Wired
article goes on to say:
Lapsus$ has been on a tear since it
emerged in December, stealing source code and other valuable data from
increasingly prominent companies, including Nvidia, Samsung, and Ubisoft, and
leaking it in apparent extortion attempts. But researchers had only found
broadly that the attackers seemed to be using phishing to
compromise their victims. It wasn't clear how a previously unknown and
seemingly amateur group had pulled off such monumental data heists. Now it
seems possible that some of those high-profile breaches stemmed from the
group's Okta compromise.
However, even last week, Okta was
trying to downplay what happened. The same Wired article says:
“In late January 2022, Okta
detected an attempt to compromise the account of a third-party customer support
engineer working for one of our subprocessors. The matter was investigated and
contained by the subprocessor,” Okta CEO Todd McKinnon said in a statement (presumably made on March 21).
“We believe the screenshots shared online are connected to this January event.
Based on our investigation to date, there is no evidence of ongoing malicious
activity beyond the activity detected in January.”
But Mr. McKinnon probably already regrets
that statement. Another great article appeared
in Wired yesterday. It shows that on March 17, Okta received a Mandiant
report on the Sitel breach, which made it clear the attackers had super user
access. Yet Okta sat on the report for four days, and only mentioned it when
Lapsus$ put up the screen shots showing the super user access the following
Monday.
Of course, this is a wonderful way
to treat your customers – don’t even let them know there’s a strong possibility
that some bad guys were able to access lots of accounts on their networks,
since they had access to every one of the usernames/passwords those customers had
entrusted to them. Of course, maybe they just forgot...
The bottom line of this story – at
the moment – is that:
·
Okta’s “subprocessor”,
Sitel, had terrible security, as revealed by the Mandiant report. Did Okta even
bother to verify their security? One guesses not.
·
Perhaps Okta didn’t
verify Sitel’s security because theirs wasn’t a lot better. After all, if a
help desk contractor somehow can obtain access to a super user account (which
obviously wasn’t protected by multifactor authentication. Was that too much to
ask, Okta?), that doesn’t indicate stellar security practices.
·
By Okta’s own
admission, up to 366 of their customers’ credentials might have been compromised.
In way of comparison, even though 18,000 SolarWinds customers downloaded the compromised
Orion updates, only 1-200 of them were actually attacked by the Russians.
·
This is a true
multi-level supply chain attack. Lapsus$ compromised Sitel, and from there compromised
Okta. Even with Okta’s poor security practices, it would probably have been
hard to compromise them with a direct frontal assault. Once in Sitel, Lapsus$
was then able to obtain the credentials it needed to compromise their customers.
So this is worse than SolarWinds, which was a single-level supply chain attack;
it’s more like Kaseya,
which was also a multilevel attack.
·
Okta should have paid
attention to SolarWinds’ response to their breach, which was to come out right
away with full information, broadcast for everyone to see (and a the time, they
got a lot of pushback from the FBI for doing that). Given the extent of damage
that the SolarWinds attack may have caused, it’s quite possible they would have
gone under, had they not taken that approach. Okta seems to have chosen a different
path regarding disclosure; it remains to be seen whether that will ultimately
be seen as a smart move or a disaster.
Once again, in hindsight it’s
clear that Okta really is a critical infrastructure provider, just like
SolarWinds is. They both need to be regulated
as such.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would
like to comment on what you have read here, I would love to hear from you.
Please email me at tom@tomalrich.com.