On Tuesday, Microsoft announced that the LAPSUS$ extortion-focused hacking group had acquired “limited access” to its systems. The authentication services provider Okta also confirmed that almost 2.5 percent of its clients might have been affected by the incident.
According to Microsoft’s Threat Intelligence Center (MSTIC), the intrusion was accomplished by a single compromised account, which was subsequently remediated to prevent future malicious behavior. The Windows manufacturer, which had been watching the group under the codename DEV-0537 before the public disclosure, stated it “does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.”
Okta, which recognized the breach via the account of a customer support engineer working for a third-party supplier, disclosed that the attackers gained access to the worker’s laptop over a five-day timeframe between January 16 and 21. However, the service was not affected. The San Francisco-based cloud software company also stated that it has identified the impacted clients and is addressing them individually, emphasizing that the “Okta service is fully operational, and there are no corrective actions our customers need to take.”
“In the case of the Okta compromise, it would not suffice to just change a user’s password,” Cloudflare, a web infrastructure provider, said in a post mortem study of the event. “The attacker would also need to change the hardware (FIDO) token configured for the same user. As a result, it would be easy to spot compromised accounts based on the associated hardware keys.”
However, the fact that Okta delayed official revealing the breach for two months is the concern, causing the cybercriminal gang to wonder in its rebuttal statement, “Why wait this long?” In its reply, LAPSUS$ claims that Okta was storing Amazon Web Services (AWS) keys within Slack and that support engineers appear to have “excessive access” to the communication portal. The gang further said that the impact on Okta customers is not limited. It is confident that changing passwords and enabling MFA will result in a complete system breach for many clients.
In recent months, LAPSUS$ has been on a hacking rampage, attacking a slew of organizations, including Impresa, Brazil’s Ministry of Health, Mercado Libre, Embratel, NVIDIA, Claro Vodafone, Samsung, and Ubisoft. The financially driven group’s strategy has been simple: breach into a target’s network, take sensitive data, then blackmail the victim organization into paying up by posting bits of the stolen material on their Telegram channel.
According to Microsoft, LAPSUS$ is an organization that uses a “pure extortion and destruction model without deploying ransomware payloads” and “doesn’t seem to cover its tracks.” To get a footing, LAPSUS$ has been seen using the RedLine Stealer, which is for sale on underground forums, to collect passwords and session tokens, as well as buying credentials and access tokens from the dark web marketplaces and scanning public code repositories for exposed credentials.
After initial access, the group uses unpatched vulnerabilities on internally accessible Confluence, JIRA, and GitLab servers to gain privilege escalation before exfiltrating pertinent data and deleting the target’s systems and resources. Microsoft advises organizations to mandate multi-factor authentication (but not SMS-based), use modern authentication options such as OAuth or SAML, review individual sign-ins for signs of unusual activity, and monitor incident response communications for unauthorized attendees to alleviate such incidents.