A hack at a call center provider breached data at security company Okta, taking the cybersecurity world by storm this week. (Photo via Getty Images by Jakob Porzicki/Nurphoto)
NurPhoto via Getty Images
In a pastel-colored office space northwest of the capital San Jose, under the sunny skies of Costa Rica, employees are tucking away in their cubicles, answering calls and providing technical support for customers . He works for a little-known outsourcing firm called Sykes. Most people have never heard of the company, even though it is now part of the Sitel Group, one of the largest call center providers in the world. According to a LinkedIn profile, its employees have done contract work for companies that are instantly recognizable, such as Amazon and Cisco, to name two.
Acting as a Sykes customer-support employee requires access to the data of the contracting company’s big-name customers. This access, it turns out, is very attractive to hackers. So it was in January, when a mysterious hacker collective named LAPSUS$ managed to seize an account belonging to a Costa Rica-based Sykes employee providing customer service to users of Okta, one of the largest providers of “singles”. Was. “Sign-on” software, which lets customers use a single password across multiple apps, requiring only a one-time code to log into the account. It’s going to offer tighter security. But as SykesHack showed Shown, there are ways for cybercriminals to obtain Okta customers’ data without directly targeting Okta. With a compromised Sykes account, hackers managed to spy on 2.5% of Okta’s customers, including $30 billion in web- Security provider Cloudflare and others were involved in 365. Hackers had the ability to reset passwords and siphon customer information.
Sykes confirmed Forbes claiming that “parts” of its network were hacked in January, claiming that it did not believe a serious breach had occurred and no longer posed a risk to its corporate customers (or to its clients’ customers). Was. Okta later said that the breach lasted five days and allowed hackers to reset passwords and those one-time codes.
When asked if any other customers were killed in the January breach at Sykes, a Cytel spokesperson said, “We are unable to comment on our relationship with any specific brand or the nature of the services we provide to our customers.” are unable.”
Okta’s chief security officer, David Bradbury, said in a webinar on Wednesday that he only received a full forensic report on Monday from Sittel, who was warned about a possible breach in January. However, he acknowledged that Okta received a summary report about the hack last week, and that the company should have moved faster to act on those initial findings. The report revealed that a hacker had gained access to a site technician’s computer, a system known as Remote Desk Protocol (RDP), which provides access to a system remotely.
The hack showed how outsourcing tech support presents a risk to any company and its customers’ data. While a company can outsource its employee functions, it cannot outsource the risk and reputational damage when things go awry on the contractor. And it’s a factor that the LAPSUS$ crew, who often demand payment from victims to prevent data leaks, is seriously exploiting.
Cybercriminals have long targeted low-wage tech-support workers who “have access to state keys,” said Alison Nixon, chief research officer for cyber investigation business unit 221B.
Nixon said that by focusing on Okta, Lapsus managed to misdirect everyone from the initial breach in $sykes. “It’s like a magic trick. All eyes are on Okta, but right in front of you, the magician is doing something that’s even more interesting… and that’s sittles and third party call centers called LAPSUS$ targeting.” They did this to avoid hackers taking away the game, pretending they were going behind a call center, she said.
Yet it is by taking advantage of this vulnerability that LAPSUS$ is able to break into top-tier companies and gain levels of access that an advanced government hacking group “would dominate,” Nixon said.
Even the big tech companies know this. LAPSUS$ previously claimed to have stolen data from Microsoft, Samsung, Nvidia and other major tech companies. On Tuesday, Microsoft confirmed that it was the victim of the LAPSUS$ attack, in which one of its company accounts was hacked and used to steal the company’s source code. This came days after LAPSUS$ claimed to have leaked some Bing, Bing Maps and Cortana source code. Microsoft did not say whether the compromised account belonged to an internal employee or a contractual person, but in a blog post analyzing the activities of the LAPSUS$ crew on Tuesday, Microsoft said, “Instances were found where the group recruited employees (or employees of their suppliers or business partners).” This pointed to an advertisement in which LAPSUS$ offered to purchase company passwords. Microsoft – which turned to other methods pointed out that LAPSUS$ breached organizations through malware that steals passwords and logins purchased from criminal forums – it did not respond to requests for comment on how the initial breach occurred.
César Cerrudo, chief research officer at cybersecurity company Strike, said companies often don’t do enough due diligence to verify the security of third-party providers. “Sometimes you are just asked to sign a checkbox, that you [legally] Compliance and you do security and penetration testing or whatever,” Cerrudo said. “But it’s just a checkbox on a form on a contract.”
Raj Samani, chief scientist at security company Rapid7, said the Okta and Sykes breaches should serve as a clear call to businesses to ensure they are investigating who has access to their networks. “We have to start considering organizations, what are we doing to track our incident-response workflow, what are we doing to analyze our Slack channels,” he said. This is true for checking the identity of everyone on a group call, where a fraudster may be present. He said that ‘Zero Trust’ model should be adopted.
