Post Credit: Austin Miller
How LAPSUS$ Breached Okta (and Why You Should Test Your Own Capabilities)
If you have been following the developments in the Okta and LAPSUS$ cases, you will have noticed that every day seems to bring new development. Here’s how LAPSUS$ breached Okta. That’s certainly true of Bill Demirkapi, who analyzed the leaked Mandiant report of the Sitel breach. The young cybersecurity researcher has come under fire in the past few days for exposing those secrets to the public, leading to him losing his job at Zoom.
In the interest of continued accuracy and to provide a cautionary tale of script kiddies and the damage they can cause, the SecPro has chosen to analyze the tactics, techniques, and procedures (TTPs) used by the hacking group. Due to the resource-light nature of the attack, penetration testing your own systems using the same tools could unearth some interesting (or terrifying!).
Understanding the attack – who was on the supply chain?
Despite Okta taking the brunt of the media criticism this week, it is actually a third-party company which deserves inspection. That company is Sitel/Sykes, a company that provides customer support engineers to Okta.
Okta’s reputation make take some rebuilding, but they are a popular identity management company and I believe that their technical response was good. What we should all be learning is how well we know our supply chains and if there should be greater control or vetting of a third-party client before onboarding.
The tools you need
If you plan to use this article as a “how to” for running a penetration test on your system, here are the tools that the now infamous LAPSUS$ used:
- Bing search (yes, really)
- Process Explorer
- Process Hacker
- Mimikatz
That’s it. As you’ll notice, the tools are all open-source, out-of-the-box programs that are publicly available on GitHub. Here is where the real concern appears for cybersecurity professionals – if highly-paid, certificate-laded blue teams can’t defend an organization against what are essentially script kiddies, what does it say about their capabilities?
In the interest of not turning this into a lecture for the Sitel/SYKES team, we should turn this into an opportunity to run penetration testing on our own systems. Although many professionals will assume that their defenses will stand up to these cookie-cutter attacks but do you know for certain?
Exploring the attack
Using Mandiant’s leaked report (which you can access on Bill Demirkapi’s Twitter), we can explore exactly what the teenagers behind the Okta breach were up to before being exposed. All images are taken from Bill Demirkapi’s Twitter.
1.Gain access to the system
Generally considered the hard part of any hacking attack, the LAPSUS$ team gained access to a Sitel system via leaked logon credentials captured in a screenshot. The first malicious logon was noted at 00:33:23 on the 16th January 2022. From this point, the threat actors did nothing for three days.
2.Download your tools
Here is where it gets really surprising – the adversary at this point accesses the internet on the compromised system (!), using Bing to search for <Privilege escalation tools on GitHub>. Let’s be clear here, these hackers didn’t use a novel tool or sneak them onto the system. They literally downloaded them from GitHub to the local computer.
Using UserProfileSvcEop[.]exe, LAPSUS$ escalated privileges and created a new account to create a foothold.
3. Use known exploits to escalate privileges, move laterally, and establish foothold
Having used the remote desktop protocol (RDP) to log onto another system, LAPSUS$ achieved lateral movement across the network. They then used Bing again to search for Process Explorer and Process Hacker which were later both executed.
At this point, the FireEye Endpoint Agent was terminated.
LAPSUS$ switched back to Bing and searched for Mimikatz, the popular credential capture software. After laterally moving through the network and reinstalling Process Hacker and Mimikatz again, a Sitel/Sykes account was compromised and the first malicious logon occurred at 23:02:41, 20th January 2022.
4.Bingo – Find How LAPSUS$ Breached Okta
An hour later, the compromised account accessed internal sensitive files, including the DomAdmins-LastPass.xlsx through SecureLink. The first compromised account was added to the TenantAdmins group and a malicious email rule was set up to BCC forward all amil to the compromised accounts.
At this point, LAPSUS$ had gained everything that it could from using off the shelf tools. The last known malicious logon was at 14:11:38 on 21st January 2022.
Pentesting your own network
For professional pentesters, this is likely a walk in the park. But if you would like to run this test on your own systems, you may have some shocking results. Learning which off-the-shelf tools can circumvent your security measures will potentially come as an unpleasant surprise, but it would be even more pleasant if the adversary discovered that first!