May 26, 2022

Lapsus$ hackers used compromised credentials to infiltrate customer service giant Cytal’s network in January, according to documents seen by gaming-updates that provide new details about the cyber intrusion. This was before the authentication giant gained access to Okta’s internal systems. done so far. Reported.

Customers were unaware of Okta’s January security breach until March 22, when hacker group Lapsus$ released screenshots showing they had gained access to Okta’s internal applications and systems approximately two months earlier. Okta acknowledged the settlement in a blog post and later confirmed that 366 of its corporate customers were affected by the hack, or about 2.5% of its customer base.

The documents contain the most detailed account of the Sitel compromise, which later allowed hackers to gain access to the Okta network.

Okta is used by thousands of organizations and governments around the world as a single sign-on provider, giving employees secure access to internal company systems such as email accounts, applications, databases and more.

Documents obtained by an independent security researcher Bill Demirkapic and transmitted to gaming-updates, which includes a message from a Sitel client sent on January 25th—more than a week after the hackers first breached his network—and a detailed timeline of the Sitel intrusion dated March 17th. Compiled and provided by Incident Response Company Mandient. . ,

According to the documents, Cytel traced the security incident to its VPN gateway on the old network of Sykes, a customer service company powered by Okta that Cytel acquired in 2021. VPNs or virtual private networks are often targeted by attackers. Because they can be used to remotely access a company’s network.

The timeline describes how the attackers used remote access services and public hacking tools to compromise and navigate the Sitel network, giving them a deeper understanding of the network in the five days Lapsus$ had access to. Sittel said their Azure cloud infrastructure was also hacked.

According to Timeline, back on January 21, hackers gained access to a spreadsheet called “DomAdmins-LastPass.xlsx” on Sitel’s internal network. As the file name suggests, the spreadsheet contained passwords for domain administrator accounts that were exported from a site employee’s LastPass password manager.

About five hours later, the hackers created a new Sykes user account and added it to a user group called “Tenant Administrators” who have broad access to the organization, possibly creating a “black” account on Sykes’ network. For use by hackers if they are later discovered and disabled. According to the Okta timeline, around the same time, Lapsus$ hackers broke into the Okta network.

The timeline shows that the Sitel network was last accessed on January 21 at 14:00 (UTC), approximately 14 hours after the password spreadsheet was accessed by the hackers. Sitel has released a company-wide password reset to try and weed out intruders.

Okta has come under fire for failing to warn customers of violations on the site after Mandiant received a March 17 report. Okta security chief David Bradbury said the company “should have acted faster to understand the implications.”

Octa was unable to comment prior to posting. Sittel and Mandiant did not dispute the content of the report but declined to comment.

Okta is one of several major companies that have been targeted by the Lapsus$ hacker and ransomware group in recent months. The Lapsus$ group first entered the hacking scene in December after Brazil’s health ministry was hit by a cyberattack that robbed citizens of 50 terabytes of data, including vaccination information. Since then, the gangs have targeted several Portuguese-speaking companies, as well as major tech giants including Samsung, Nvidia, Microsoft and Okta, who steal access and steal data from thousands of customers in their Telegram channels, often making bizarre messages in the process. Demand in exchange for non-publication of stolen victim files

British police said last week they had arrested seven people aged 16 to 21 involved in the incidents.


If you have more information about being hacked or working at Okta or Sitel, please contact Signal Security at +1 646-755-8849 or [email protected] Email included.

Leave a Reply

Your email address will not be published.