en.wikipedia.org/wiki/Lapsus$
2 corrections found
through the compromised account of a third-party customer support engineer.
Okta says the attempted compromise of the support engineer’s Okta account was unsuccessful. The attacker instead remotely controlled the engineer’s workstation via RDP.
Full reasoning
Okta’s official write-ups say the attacker did not get in by successfully compromising the support engineer’s Okta account.
According to Okta:
- the January 20 attempt to add a new factor to the Sitel engineer’s Okta account was unsuccessful because the target did not accept the MFA challenge;
- Okta later determined the attacker had remote desktop (RDP) access to the Sitel engineer’s computer;
- Okta’s final forensic summary says the threat actor controlled a single workstation and was unable to authenticate directly to any Okta accounts.
That means the article’s description of access occurring through the compromised account is inaccurate. Okta says the account takeover attempt failed, and the attacker instead operated from a compromised workstation that already had access to Okta resources.
2 sources
- Okta's Investigation of the January 2022 Compromise | Okta
Although that individual attempt was unsuccessful ... Our investigation determined that the screenshots ... were taken from a Sitel support engineer's computer upon which an attacker had obtained remote access using RDP.
- Okta Concludes its Investigation Into the January 2022 Compromise | Okta
The threat actor actively controlled a single workstation ... The threat actor was unable to authenticate directly to any Okta accounts.
On 15 September 2022, Uber announced that it had been breached by Lapsus$.
Uber announced a cybersecurity incident on September 15, 2022, but its attribution to Lapsus$ came later in a September 16 update. The article combines two separate updates into one claim.
Full reasoning
Uber’s own newsroom timeline separates the initial incident announcement from the later attribution to Lapsus$.
- At 6:25pm PT on September 15, 2022, Uber said only: “We are currently responding to a cybersecurity incident.”
- In a later update dated September 16, 2022, Uber said: “We believe that this attacker (or attackers) are affiliated with a hacking group called Lapsus$.”
So the article’s wording is inaccurate because it says Uber announced on September 15 that the company had been breached by Lapsus$. Uber’s own record shows the incident announcement happened on September 15, while the Lapsus$ attribution appeared in a later update on September 16.
2 sources
- Security update | Uber Newsroom
September 15, 6:25pm PT: We are currently responding to a cybersecurity incident.
- Security update | Uber Newsroom
September 16, 2022 ... We believe that this attacker (or attackers) are affiliated with a hacking group called Lapsus$.