Share this page!

Bill Demirkapi Profile picture
Twitter logo
Mar 28 13 tweets 4 min read
New documents for the Okta breach: I have obtained copies of the Mandiant report detailing the embarrassing Sitel/SYKES breach timeline and the methodology of the LAPSUS$ group. 1/N
We can see how LAPSUS$ originally began investigating their compromised host on January 19th, 2022. With little regard for OPSEC, LAPSUS$ searched for a CVE-2021-34484 bypass on their compromised host and downloaded the pre-built version from GitHub. 2/N
LAPSUS$ used off-the-shelf tooling from GitHub for the majority of their attacks. After downloading Process Explorer and Process Hacker, LAPSUS$ bypassed the FireEye endpoint agent by simply terminating it! 3/N
With the endpoint agent disabled, LAPSUS$ simply downloaded the official version of Mimikatz (a popular credential dumping utility) directly from its repository. 4/N
LAPSUS$ was able to create backdoor users in Sitel's environment after retrieving an Excel document conspicuously titled "DomAdmins-LastPass.xlsx" 🤦‍♂️. 5/N
LAPSUS$ finished off their attack by creating a malicious "email transport rule" to forward all mail within Sitel's environment to their own accounts. 6/N docs.microsoft.com/en-us/exchange…
My questions for Okta: You knew that the machine of one of your customer support members was compromised back in January. Why didn't you investigate it? Having the capability to detect an attack is useless if you aren't willing to respond. 7/N
Even when Okta received the Mandiant report in March explicitly detailing the attack, they continued to ignore the obvious signs that their environment was breached until LAPSUS$ shined a spotlight on their inaction. 8/N
For the Sitel Group: Why weren't your customers immediately informed upon the first sign of compromise? Why did your customers have to wait two months to even hear that you were breached? 9/N
Sitel Group serves many more customers than Okta. Often times, for support staff to perform their jobs, they need Administrative privileges into their customer's environment. The attack highlights the increased risk of outsourcing access to your org.'s internal environment. 10/N
Good questions to ask include: Who knows how your sub-processors handle their own security? As we saw in this case, Sitel didn't take the security of their environment very seriously. What can an attacker do if one of your sub-processors becomes compromised? 11/N
Anyone hiring? 😂 12/N
Would like to clarify some misconceptions I've seen. No, this data is not attorney-client privileged. None of what I shared is from my organization and it was obtained entirely independently. I did not break any NDA/contract. 13/N

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Bill Demirkapi

Bill Demirkapi Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @BillDemirkapi

Bill Demirkapi Profile picture
Mar 22
The LAPSUS$ ransomware group has claimed to breach Okta sharing the following images from internal systems. ImageImageImageImage
The screenshots are very worrisome. In the pictures below, LAPSUS$ appears to have gotten access to the @Cloudflare tenant with the ability to reset employee passwords: ImageImageImage
Another scary note is the date in the VM used in the screenshot consistently appears to be January 21st, 2022. If this date is correct, this would suggest @okta failed to publicly acknowledge any breach for at least two months. Image
Read 17 tweets
Bill Demirkapi Profile picture
Sep 3, 2021
Rant about how @Bugcrowd and @Hacker0x01 setup their platforms to let vendors who host private programs abuse researchers. Entirely based on a true story with @Bugcrowd in my case. This is for my #bugbounty friends out there. 1/n
Let's say you are a researcher invited to a private program. You spend 10-20 hours looking for vulnerabilities and you finally find one! You report it to the vendor and... they say it's not applicable. 2/n
You still think it's a serious vulnerability. You try to use the platform's "mediation" feature to work with the vendor. The problem? At the end of the day, the vendor has the final say on whether or not it's a vulnerability. 3/n
Read 14 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @BillDemirkapi has new unrolls!

Check out other threads from @BillDemirkapi!

Read all threads by @BillDemirkapi

:(