_MG_

_MG_

22-03-2022

03:22

Oh man, if this it what it looks (Okta got popped)… Blue Team everywhere is gonna be crazy busy.

LAPSUS looks to be in everything of Okta’s. JIRA, Slack, Etc. But some of the screenshots seems to show Super User access capable of modifying/accessing customer accounts. 😬😬 This is gonna be a ride. 🔥

I was wondering why LAPSUS would burn such awesome access before getting themselves into all the customer networks. And then @Laughing_Mantis noticed the date in one of the screen shots… 🌚🔥

Yep. LAPSUS is claiming to have been in Okta for 2 months. How many customer networks do you suppose they have been in as a result? What percent haven’t detected anything so far?

If you are still waiting and hoping this ends up being fake, I have some bad news for you... its not. If you were wondering how LAPSUS was getting access to so much stuff recently, this is probably how. I am betting they just lost access, so they posted their historical access

Based on screenshots, this was an outsourced contractor (working at SYKES) who was working for Okta. Probably a call center employee. Contractors are a common "soft" pathway for most companies.

Account Management Tools are notoriously over provisioned basically everywhere. And that seems to be the case here. It’s disappointing that Okta wasn’t one of the few companies above the curve… but the next 24hrs are what matters. Okta will either be transparent, or they won’t.

If they aren’t transparent first thing tomorrow morning, this will hurt their customers. Let’s hope @okta doesn’t have a garbage legal team who forces them to deny as much as possible and drag things out.

Wondering what to do while you wait? Check Okta logs for elevated privilege account activity. Think about how you could use this situation to spotlight similar risk in your own org’s security design. This looks to match an ongoing pattern with account management tooling.

Ex: How many employees can access customer data? Modify it? Can they do it even when there is no active customer ticket? Do customers get notified for EVERY account interaction by an employee? Etc.. AMTs will continue to create news stories because of the prolific bad design.

Got a few reqs to ELI5 the Okta situation: Okta is a SSO (single sign on). As an attacker, I want to get into an employee’s SSO account because it gives me their email, chat, prod systems, etc. LOTS But Okta Employee access? I can get into all SSO accounts for all companies!



Follow us on Twitter

to be informed of the latest developments and updates!


You can easily use to @tivitikothread bot for create more readable thread!
Donate 💲

You can keep this app free of charge by supporting 😊

for server charges...