Okta Says Hack From LAPSUS$ Group May Have Ensnared 366 Brands

pcmag.com:

Okta says the LAPSUS$ gang hack may have affected 2.5% of its corporate customers, or 366.

In a more detailed report released on Tuesday, Okta said the hack involved LAPSUS$ remotely compromising a computer belonging to a customer support engineer contracted out from a third-party outsourcing firm called Sitel.

Access was achieved through Microsoft’s Remote Desktop Protocol; the computer itself was owned by Sitel. “The scenario here is analogous to walking away from your computer at a coffee shop, whereby a stranger has (virtually in this case) sat down at your machine and is using the mouse and keyboard," said Okta Chief Security Officer David Bradbury.

It's not clear how the LAPSUS$ group gained remote access. But despite the hack, Okta said the customer support engineer’s computer contained only limited access to customer accounts. 

“The majority of support engineering tasks are performed using an internally built application called SuperUser or SU for short, which is used to perform basic management functions of Okta customer tenants. This does not provide ‘god-like access’ to all its users,” Bradbury said. 

“This is an application built with least privilege in mind to ensure that support engineers are granted only the specific access they require to perform their roles,” he added. “They are unable to create or delete users. They cannot download customer databases. They cannot access our source code repositories.” 

It’s also why Okta believes the hack failed to breach the company itself or customer accounts. Nevertheless, the LAPSUS$ gang did have a five-day window, between Jan. 16-21, to access the compromised computer. During this time, the hackers also had access to systems at Sitel, which offers services to over