Lapsus$ hacker England
Authentication services provider Okta on Wednesday named Sitel as the third-party linked to a security incident experienced by the company in late January that allowed the LAPSUS$ extortion gang to remotely take over an internal account belonging to a customer support engineer.
The company added that 366 corporate customers, or about 2.5% of its customer base, may have been impacted by the “highly constrained” compromise.
The disclosure comes after LAPSUS$ posted screenshots of Okta’s apps and systems earlier this week, about two months after the hackers gain access to the company’s internal network over a five-day period between January 16 and 21, 2022 using a remote desktop protocol (RDP) until the MFA activity was detected and the account was suspended pending further probe.
Although the company initially attempted to downplay the incident, the LAPSUS$ group called out the San Francisco-based company for what it alleged were lies, stating “I’m STILL unsure how it’s an [sic] unsuccessful attempt? Logged in to [sic] the SuperUser portal with the ability to reset the Password and MFA of ~95% of clients isn’t successful?”
Microsoft confirms Lapsus$ breach after hackers publish Bing, Cortana source code
Contrary to its name, SuperUser, Okta said, is used to perform basic management functions associated with its customer tenants and operates with the principle of least privilege (PoLP) in mind, granting support personnel access to only those resources that are pertinent to their roles.
Okta, which has faced criticism for its delay in notifying customers about the incident, noted that it shared indicators of compromise with Sitel on January 21, which then engaged the services of an unnamed forensic firm that, in turn, went on to carry out the investigation and share its findings on March 10, 2022.
According to a timeline of events shared by the company, “Okta received a summary report about the incident from Sitel” last week on March 17, 2022.
A 16-year-old behind LAPSUS$?
The security breaches of Okta and Microsoft are the latest in a rampage of infiltrations staged by the LAPSUS$ group, which has also hit high-profile victims like Impresa, NVIDIA, Samsung, Vodafone, and Ubisoft. It’s also known for publicizing its conquests on an active Telegram channel that has over 46,200 members.
Cybersecurity firm Check Point described LAPSUS$ as a “Portuguese hacking group from Brazil,” with Microsoft calling out its “unique blend of tradecraft” that involves targeting its victims with SIM swapping, unpatched server flaws, dark web reconnaissance, and phone-based phishing tactics.
But in an interesting twist, Bloomberg reported that “a 16-year-old living at his mother’s house near Oxford, England” might be the brains behind the operation, citing four researchers investigating the group. Another member of LAPSUS$ is suspected to be a teenager living in Brazil.
Lapsus$ hacker England