clock menu more-arrow no yes

Filed under:

Okta says security protocols limited hack, but response came too slow

Chief security officer David Bradbury said that ‘least privilege access’ protocols had contained the worst effects, but criticized a slow forensic report

Photo by Amelia Holowaty Krales / The Verge

After the disclosure of a hack affecting its authentication platform, Okta has maintained that the effects of the breach were mostly contained by security protocols and reiterated that users of the service do not need to take corrective action as a result.

The statements were made by David Bradbury, chief security officer at Okta, in a video call with customers and press Wednesday morning.

On Monday, hacking group Lapsus$ released images demonstrating that the group had compromised Okta’s internal systems, putting thousands of businesses that rely on the authentication tool on high alert.

“The sharing of these screenshots is an embarrassment for myself and the entire Okta team,” Bradbury said at the start of the call. “Today I want to provide my perspective on what has transpired, and where we are with this investigation.”

In the course of a ten-minute briefing, Bradbury said that the hackers had compromised Okta’s systems by gaining remote access to a machine belonging to an employee of Sitel — a company subcontracted to provide customer service functions for Okta. Using a remote desktop protocol, the hackers were able to input commands into the compromised machine and view the monitor output, enabling them to take screenshots, Bradbury said.

None of Okta’s systems were directly breached, the CSO said, but the Sitel support engineer’s machine was logged into Okta when it was compromised and remained so from the date of compromise on January 16th until the Okta security team became aware and suspended the account on January 21st.

However, due to the use of least privilege access protocols — in which a network user is only allowed to perform the minimum set of actions necessary for their job — the hackers were limited in what they could access through a support engineer’s account, leading Okta to state that no corrective action was needed from users of the service.

Details of the breach were compiled by a forensic investigation firm that had been engaged shortly after the unauthorized access was discovered, but the full report had not been provided to Okta until recently, according to Bradbury.

“I am greatly disappointed by the long period of time that transpired between our initial notification to Sitel in January, and the issuance of the complete investigation report just hours ago,” Bradbury said.

While impacts of the breach appear to be less severe than first feared, the Lapsus$ hacker group is emerging as a prolific and persistent threat, having mounted confirmed hacks against a number of large tech companies, and claimed responsibility for other incidents that have not yet been concretely attributed to the group.

On Tuesday – the same day that the Okta hack was confirmed – Lapsus$ also posted source code stolen from Microsoft’s Bing and Cortana products, obtained through compromise of an employee account.

Graphics card manufacturer Nvidia was also hacked by the group in late February, and had employee credentials leaked online. In a similar time frame, Lapsus$ claimed responsibility for a breach of South Korean tech giant Samsung in which source code for Galaxy devices was obtained, and also implied that the group was responsible for a ”cyber security incident” affecting games developer Ubisoft.

Security professionals see the group as a sophisticated and versatile threat actor and are advising potential targets to proactively guard against methods of compromise.

“This group’s ‘all in’ approach to target its victims with ransom, SIM swapping, exploits, dark web reconnaissance, and reliable phishing tactics shows the focus and open toolbox used to accomplish its goals,” said Mark Ostrowski, head of engineering at Check Point Software. “Companies and organizations across the globe should focus on education of these tactics to their users, deploy prevention strategies in all aspects of their cyber security programs, and inventory all points of access looking for potential weaknesses.”