Wednesday, March 30, 2022

Is the Okta supply chain attack worse than SolarWinds? The response sure was…

I admit that I didn’t pay a lot of attention when the Okta hack was first announced. On March 23, the Washington Post said:

In a detailed blog post (in January, when the attack was discovered), (David) Bradbury (Okta CSO) said Okta identified a potential security compromise in January. After an investigation, it found that a hacker had obtained remote access to a contractor’s computer. The hacker appears to have had access for five days.

“So while the attacker never gained access to the Okta service via account takeover, a machine that was logged into Okta was compromised and they were able to obtain screenshots and control the machine through the (remote desktop protocol) session,” Bradbury wrote.

Customer service contractors cannot download customer databases or access source code, he wrote.

Not too bad, right? A help desk contractor’s machine was compromised while it was remotely logged into Okta’s network. But a help desk contractor would presumably just have access to a trouble ticketing system and maybe some support documentation – and the CSO himself says that customer service contractors can’t access customer databases. No harm, no foul?

That would be a reasonable conclusion to draw, even though Okta isn’t your run-of-the-mill say chicken processor. They provide third party identity and access management services to thousands of companies. Obviously, a company like that holds “keys to the kingdom” to their customers’ networks, just like SolarWinds did (and still does). A real breach might allow the attackers to penetrate lots of other customers. The SolarWinds attackers (aka the Russian government, who showed great competence in that cyberattack. However, it turns out those are the only types of attacks they’re good at, which is good news for the rest of the world, but not such good news for my Uncle Vlad)

But in January, Okta said there hadn’t been any adverse consequences other than somebody being able to see screens that a run-of-the-mill help desk contractor would see. The world moved on (if it had even paused in the first place).

That is, until March 21, when, according to a great article in Wired,

ON MONDAY EVENING, the Lapsus$ digital extortion gang published a series of increasingly shocking posts in its Telegram channel. First, the group dumped what it claims is extensive source code from Microsoft's Bing search engine, Bing Maps, and Cortana virtual assistant software. A potential breach of an organization as big and security-conscious as Microsoft would be significant in itself, but the group followed the post with something even more alarming: screenshots apparently taken on January 21 that seem to show Lapsus$ in control of an Okta administrative or “super user” account.

So now it seems this was a little more than a compromise of some single-shingle help desk contractor somewhere, where the prize was just some screenshots. This was a compromise of Okta itself, which included access to a super user account; and the compromise started with Sitel, a large company that provides customer support services to other organizations. Since a super user can pretty much do what they want on the network, including presumably getting into all customer accounts, perhaps this explains how Lapsus$ was able to pull off some fantastic heists since December, as the Wired article goes on to say:

Lapsus$ has been on a tear since it emerged in December, stealing source code and other valuable data from increasingly prominent companies, including Nvidia, Samsung, and Ubisoft, and leaking it in apparent extortion attempts. But researchers had only found broadly that the attackers seemed to be using phishing to compromise their victims. It wasn't clear how a previously unknown and seemingly amateur group had pulled off such monumental data heists. Now it seems possible that some of those high-profile breaches stemmed from the group's Okta compromise.

However, even last week, Okta was trying to downplay what happened. The same Wired article says:

“In late January 2022, Okta detected an attempt to compromise the account of a third-party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor,” Okta CEO Todd McKinnon said in a statement (presumably made on March 21). “We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.”

But Mr. McKinnon probably already regrets that statement. Another great article appeared in Wired yesterday. It shows that on March 17, Okta received a Mandiant report on the Sitel breach, which made it clear the attackers had super user access. Yet Okta sat on the report for four days, and only mentioned it when Lapsus$ put up the screen shots showing the super user access the following Monday.

Of course, this is a wonderful way to treat your customers – don’t even let them know there’s a strong possibility that some bad guys were able to access lots of accounts on their networks, since they had access to every one of the usernames/passwords those customers had entrusted to them. Of course, maybe they just forgot...

The bottom line of this story – at the moment – is that:

·        Okta’s “subprocessor”, Sitel, had terrible security, as revealed by the Mandiant report. Did Okta even bother to verify their security? One guesses not.

·        Perhaps Okta didn’t verify Sitel’s security because theirs wasn’t a lot better. After all, if a help desk contractor somehow can obtain access to a super user account (which obviously wasn’t protected by multifactor authentication. Was that too much to ask, Okta?), that doesn’t indicate stellar security practices.

·        By Okta’s own admission, up to 366 of their customers’ credentials might have been compromised. In way of comparison, even though 18,000 SolarWinds customers downloaded the compromised Orion updates, only 1-200 of them were actually attacked by the Russians.

·        This is a true multi-level supply chain attack. Lapsus$ compromised Sitel, and from there compromised Okta. Even with Okta’s poor security practices, it would probably have been hard to compromise them with a direct frontal assault. Once in Sitel, Lapsus$ was then able to obtain the credentials it needed to compromise their customers. So this is worse than SolarWinds, which was a single-level supply chain attack; it’s more like Kaseya, which was also a multilevel attack.

·        Okta should have paid attention to SolarWinds’ response to their breach, which was to come out right away with full information, broadcast for everyone to see (and a the time, they got a lot of pushback from the FBI for doing that). Given the extent of damage that the SolarWinds attack may have caused, it’s quite possible they would have gone under, had they not taken that approach. Okta seems to have chosen a different path regarding disclosure; it remains to be seen whether that will ultimately be seen as a smart move or a disaster.

Once again, in hindsight it’s clear that Okta really is a critical infrastructure provider, just like SolarWinds is. They both need to be regulated as such.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

 

No comments:

Post a Comment