okta

Okta's outsourced provider of support services, Sitel (Sykes) has shared more information this week in response to the leaked documents that detailed the various incident response tasks carried out by Sitel after the Lapsus$ hack.

The documents, leaked by a researcher online, perpetuated the myth that Sitel stored its domain admin passwords extracted from LastPass in an Excel spreadsheet—a claim now dispelled by Sitel.

Sitel: Excel spreadsheet had no passwords

On Monday, March 28th, infosec researcher Bill Demirkapi shared documents that he called the "Mandiant report" showing a detailed timeline of Okta breach and the incident response activities conducted by Sitel (Sykes), Okta's third-party support provider.

"I have obtained copies of the Mandiant report detailing the embarrassing Sitel/SYKES breach timeline and the methodology of the LAPSUS$ group," tweeted the researcher.

Tweet contained documents showing timeline of Okta breach
Tweet contained documents showing timeline of Okta breach (Twitter) 

The documents suggested that threat actors viewed an Excel spreadsheet, DomAdmins-LastPass.xlsx that—as the name suggests, possibly contained Sitel's domain admin credentials exported from LastPass.

When questioned about the authenticity of these documents at the time, neither Sitel nor Mandiant disputed the claim, according to infosec journalist Zack Whittaker.

Referring to the data breach timeline, Demirkapi commented that hackers exploited a Windows privilege escalation zero-day vulnerability, CVE-2021-34484.

In a statement released this week, however, Sitel addressed the "reported inaccuracies" that alleged the spreadsheet contained passwords or that the spreadsheet was responsible for the security incident. 

"This 'spreadsheet' identified in recent news articles simply listed account names from legacy Sykes but did not contain any passwords," explains Sitel, which had acquired business process outsourcing provider Sykes in August 2021.

"The only reference to passwords in the spreadsheet was the date in which passwords were changed per listed account; no passwords were included in this spreadsheet. Such information is inaccurate and misleading and [the spreadsheet] did not contribute to the incident."

Further, Sitel blamed the January breach on "legacy" infrastructure at newly acquired Sykes which contributed to the incident.

On January 21st, Sitel "enlisted a highly experienced, cybersecurity leader to conduct an immediate and comprehensive forensic investigation of the matter," which also hints at Sitel's engagement with Mandiant.

Documents broke no NDA, says researcher

Shortly after sharing the "Mandiant report," Demirkapi briefly announced his termination from Zoom.

According to the researcher, the documents were obtained independently and broke no NDAs (with Zoom).

Researcher tweeted he had been terminated by Zoom
Researcher had earlier tweeted about his termination from Zoom (BleepingComputer)

In a subsequent tweet, Demirkapi clarified that the documents were not "attorney-client privileged" either and that he broke no contracts in the process of sharing them.

But, that still doesn't explain the source of these documents, the nature of the source, and if they were obtained entirely legally.

BleepingComputer noticed, like many enterprises, both Sitel and Sykes are Zoom customers, and Okta and Zoom also maintain a business relationship, implying it would've been in Zoom's best interest to minimize any conflict of interest should there have been an 'ask' from its customers.

Neither Zoom nor Demirkapi responded to BleepingComputer's multiple requests for comment sent out well in advance.

Recap: Okta-Lapsus$ breach

It all began around March 22nd when the Lapsus$ data extortion group posted several screenshots on Telegram, alleging it had breached Okta's customer networks.

Following the Telegram message, Okta began investigating these data breach claims.

Initially, Okta had dismissed the incident as an "attempt" by hackers in January to compromise a third-party support engineer's account. However, it later became clear that 2.5% of Okta's customers—366 to be exact, were indeed impacted by the incident.

Okta's two-month-long delay in publicly disclosing the data breach along with inconsistencies in the disclosure wording drew much backlash from the community. The company's stock price also fell by a fifth of its value in less than a week.

Days after the development, the City of London police arrested seven members linked to the Lapsus$ gang for leaking proprietary data from companies including NvidiaSamsungMicrosoft, and most recently Okta.

While issuing an apology last week for its late disclosure of the breach, Okta partially blamed the delay on Sitel, but still admitted that it bore responsibility for its contracted third-party providers.

h/t Dodge This Security for the tip-off.

Related Articles:

INC Ransom threatens to leak 3TB of NHS Scotland stolen data

AT&T says leaked data of 70 million people is not from its systems

Nissan confirms ransomware attack exposed data of 100,000 people

Acer confirms Philippines employee data leaked on hacking forum

Okta: October data breach affects all customer support system users