Credential theft
Okta / Critical Start / Hunters Security
Primary Source βIncident Details
Lapsus$ accessed Okta’s network via compromised Sitel/Sykes contractor support workstation starting Jan 16 2022. Attacker used RDP lateral movement, accessed DomAdmins-LastPass.xlsx via Office 365, used Mimikatz, Sysinternals tools. Gained potential access to 366 Okta customers. Okta’s public disclosure was delayed ~2 months until Lapsus$ posted screenshots March 22 2022. Impacted customers included Cloudflare and Twilio.
Technical Details
- Initial Attack Vector
- CWE-1391: Use of Weak Credentials (third-party support contractor workstation compromise via RDP + credential harvesting)
- Vendor / Product
- Okta Identity Platform
- Malware Family
- Mimikatz
Timeline
- 2022-01-16 Breach occurred
- 2022-03-22 Publicly disclosed
- 2022-03-22 Customers notified