Microsoft on Tuesday confirmed that the LAPSUS$ extortion-focused hacking crew had gained “limited access” to its systems, as authentication services provider Okta revealed that nearly 2. 5% of its customers have been potentially impacted in the wake of the breach.
” No customer code nor data were involved in the observed activity,” Microsoft Threat Intelligence Center said. They also stated that the breach was made possible by a compromised account, which has been remedied to stop further malign activities.
The Windows maker, which was already tracking the group under the moniker DEV-0537 prior to the public disclosure, said it “does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk. “
“This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact,” the company’s security teams noted.
Identity and access management company Okta, which also acknowledged the breach through the account of a customer support engineer working for a third-party provider, said that the attackers had access to the engineer’s laptop during a five-day window between January 16 and 21, but that the service itself was not compromised.
The cloud-software firm based in San Francisco also stated that they have identified affected customers and are contacting them. They stressed that the “Okta” service was fully functional and customers don’t need to make any corrective steps. “
“In the case of the Okta compromise, it would not suffice to just change a user’s password,” web infrastructure company Cloudflare said in a post mortem analysis of the incident. “The attacker would also need to change the hardware (FIDO) token configured for the same user. It would also make it easy to identify compromised accounts using the hardware keys. “
However, it is concerning that Okta did not disclose the breach publicly for at least two months. This prompted the cyber criminal group “Why have you waited this long?” in its counter statement.
LAPSUS$ also claimed that Okta had Amazon Web Services keys stored within Slack, and that support personnel seem to have “excessive” access to the communication platform. “The potential impact to Okta customers is NOT limited, I’m pretty certain resetting passwords and MFA would result in complete compromise of many clients’ systems,” the gang elaborated.
Microsoft Exposes the Tactics of LAPSUS$
LAPSUS$, which first emerged in July 2021, has been on a hacking spree in recent months, targeting a wealth of companies over the intervening period, including Impresa, Brazil’s Ministry of Health, Claro, Embratel, NVIDIA, Samsung, Mercado Libre, Vodafone, and most recently Ubisoft.
The financial motivated group’s method of operation was quite simple: hack into the target company’s network and steal sensitive data. They then blackmail the victim by publishing snippets on Telegram.
Microsoft described LAPSUS$ as a group as following a “pure extortion and destruction model without deploying ransomware payloads” that “doesn’t seem to cover its tracks. “
The crew also used other tactics, including SIM-swapping for account takeovers, accessing the personal email accounts and bribing staff, suppliers or business partners to gain access to their target companies, as well as phone-based social-engineering schemes like SIM-swapping.
LAPSUS$ has also been observed deploying the RedLine Stealer that’s available for sale on underground forums to obtain passwords and session tokens, in addition to buying credentials and access tokens from dark web marketplaces as well as searching public code repositories for exposed credentials, to gain an initial foothold.
“The objective of DEV-0537 actors is to gain elevated access through stolen credentials that enable data theft and destructive attacks against a targeted organization, often resulting in extortion,” the company said. This cybercriminal actor is motivated by destruction and theft, according to tactics and objectives. “
Following initial access, the group is known to exploit unpatched vulnerabilities on internally accessible Confluence, JIRA, and GitLab servers for privilege escalation, before proceeding to exfiltrate relevant information and delete the target’s systems and resources.
To mitigate such incidents, Microsoft is recommending organizations to mandate multi-factor authentication (but not SMS-based), leverage modern authentication options such as OAuth or SAML, review individual sign-ins for signs of anomalous activity, and monitor incident response communications for unauthorized attendees.
” Based on observations, this group recognizes the interconnectedness of identities and trust relations in the modern technology ecosystems. It targets companies that provide telecommunications and IT services, and supports them with their ability to use the access provided by one company to the supplier or partner organizations. “
LAPSUS$ appears to be on a vacation amid the aftermath of the leaks. “A few of our members has [sic] a vacation until 30/3/2022. We may be silent [sic],”, the group stated on Telegram.