An independent security researcher has shared what’s a detailed timeline of events that transpired as the notorious LAPSUS$ extortion gang broke into a third-party provider linked to the cyber incident at Okta in late January 2022.
In a set of screenshots posted on Twitter, Bill Demirkapi published a two-page “intrusion timeline” allegedly prepared by Mandiant, the cybersecurity firm hired by Sitel to investigate the security breach. Sitel, through its acquisition of Sykes Enterprises in September 2021, is the third-party service provider that provides customer support on behalf of Okta.
The authentication services provider revealed last week that on January 20, it was alerted to a new factor that was added to a Sitel customer support engineer’s Okta account, an attempt that it said was successful and blocked.
The incident only came to light two months later after LAPSUS$ posted screenshots on their Telegram channel as evidence of the breach on March 22.
The incident, which gave the threat actor access to nearly 366 Okta customers, occurred over a five-day window between January 16 and 21, during which the hackers carried out different phases of the attack, including privilege escalation after gaining an initial foothold, maintaining persistence, lateral movement, and internal reconnaissance of the network. Read more:https://bit.ly/3x1Fkiv