The chief security officer (CSO) of authentication vendor Okta has revealed more details of an incident that may have allowed hackers to steal sensitive data from customers.
In a blog post yesterday, David Bradbury said that the support engineer whose laptop was hijacked for five days by the Lapsus group was working for contractor Sitel.
Although the device was owned and managed by the firm, the threat actors managed to obtain remote access to it via RDP, he explained.
“The scenario here is analogous to walking away from your computer at a coffee shop, whereby a stranger has (virtually in this case) sat down at your machine and is using the mouse and keyboard,” he added.
“So while the attacker never gained access to the Okta service via account takeover, a machine that was logged into Okta was compromised and they were able to obtain screenshots and control the machine through the RDP session.”
Lapsus shared screenshots of the machine’s desktop last weekend, apparently revealing wide-ranging access to Okta’s internal systems. Bradbury admitted that this was “embarrassing for myself and the whole Okta team” and said the firm should have acted quicker once it received a report on the incident from Sitel last week.
However, he played down the significance of the “superuser” access the hackers were able to gain.
“The majority of support engineering tasks are performed using an internally-built application called SuperUser or SU for short, which is used to perform basic management functions of Okta customer tenants,” Bradbury explained.
“This does not provide ‘god-like access’ to all its users. This is an application built with least privilege in mind to ensure that support engineers are granted only the specific access they require to perform their roles. They are unable to create or delete users. They cannot download customer databases. They cannot access our source code repositories.”
That makes less likely a theory that Lapsus had been able to use the Okta access to exfiltrate and leak data on victims, including Microsoft, Nvidia, Vodafone and Samsung recently.
A Microsoft blog published this week suggested that insider access at these organizations may have been the initial threat vector.
Bradbury repeated that 2.5% of Okta customers were impacted by the incident, amounting to 366 businesses.