Hacking of Microsoft and Okta

top cybersecurity companies

Microsoft has confirmed that the hacking group LAPSUS$ was able to compromise an account with restricted access, but that they left the issue of source code exfiltration in limbo.

“No customer codes or data were affected in the observed activities. Our investigation revealed that a single account that granted limited access was compromised. Our cybersecurity response teams acted quickly to clean up the compromised account and prevent further activity,” Microsoft said.

“Microsoft does not rely on code secrecy as a security measure, and source code visibility does not increase risk. Our team was already investigating the compromised account based on threat intelligence when the attacker publicly announced their intrusion. This public disclosure resulted in an escalation of our actions, allowing our team to intervene and disrupt the actor mid-operation to limit further impact.”

On Tuesday, LAPSUS$ released a torrent file claiming to contain the source code of Bing, Bing Maps and Cortona. “Bing Maps is 90% completely disposed. Bing and Cortana about 45%,” according to the group.

Microsoft confirmed the compromise in a blog post listing the group’s techniques. “Their tactics include phone-based social engineering: SIM swapping to facilitate account takeover, accessing personal email accounts of employees of the target companies, paying employees, suppliers, or business partners of the target companies for access to login credentials, and allowing multifactor authentication as well as penetrating their targets’ ongoing crisis communications conversations,” Microsoft said. “Tactics and targets suggest this is a cybercriminal actor intent on theft and destruction.”

The group, dubbed DEV-0537 by Microsoft, has been observed exploiting vulnerabilities in Confluence, JIRA and GitLab to escalate their privileges, calling help desks for password resets, stealing Active Directory databases and using NordVPN to make it appear that they are in a similar region to the targets.

“If successfully granted privileged access to an organization’s cloud tenant (either AWS or Azure), DEV-0537 creates global admin accounts on the organization’s cloud instances, sets up a mail transport rule Office-365 tenant level to send all mail in and out of the company to the newly created account, and then removes all other global admin accounts, leaving only the actor in sole control of the cloud resources, thereby the company is effectively locked out of any access,” Microsoft said.

“After exfiltration, DEV-0537 often wipes the target’s systems and resources. We have observed resources being wiped both on-premises (e.g. VMWare vSphere/ESX) and in the cloud to trigger the company’s incident and crisis response process.

The group has also used internal intelligence services to understand how victims are reacting. “It is believed that this is how DEV-0537 gains insight into the victim’s state of mind and knowledge of the intrusion and finds a place to make extortion demands,” Microsoft said.

“In particular, DEV-0537 has been observed queuing in incident response at organizations responding to destructive actions. In some cases, DEV-0537 blackmailed the victims to prevent the stolen data from being released, in other cases no blackmail attempt was made and DEV-0537 made the stolen data public.”

The hacker group Lapsus$ does not hide, but even places “job advertisements” (Image: Microsoft)

Previously, LAPSUS$ also claimed to have carried out an attack on Okta. Okta then shared that the group had access to a support engineer’s laptop for a five-day period.

The group told Okta that the compromised device was a thin client and they had access to a superuser portal that allowed them to reset the password and multifactor authentication of 95% of the clients.

“For a company that supports zero trust, support engineers seem to have excessive access to Slack? 8.6k channels?” the group claimed. “The potential impact on Okta customers is NOT limited, I’m pretty sure password resets and MFA would result in a complete compromise of many customers’ systems.” The group called on Okta to hire a cybersecurity firm and to publish the report it has prepared. She also claimed Okta stores AWS keys in Slack.

Okta shares that a quick investigation of the shared screenshots that appear to show a data breach found them to relate to a “limited” security incident that occurred in January 2022. Okta, an identity and access management company, launched an investigation after hacker group LAPSUS$ posted screenshots on Telegram, which the hackers say were taken after gaining access to “Okta.com superuser/admin and various other systems.” had received. The images were shared this week via Telegram and various social networks.

“For a service that runs authentication systems for many of the largest companies (and is FEDRAMP certified), I find these security measures to be pretty flimsy[…]says LAPSUS$. “Before people start asking, we didn’t access or steal any databases from Okta – our focus was only on Okta customers.”

In an email Tuesday, Okta explained that the screenshots shared online “appear to be linked to a security event in late January. In late January 2022, Okta discovered an attempt to compromise the account of a third-party customer support engineer working for one of our subprocessors. The matter has been investigated and contained. We believe the screenshots shared online are related to this January incident.”

“Based on our investigation to date, there is no evidence of additional malicious activity beyond what was discovered in January,” Okta added.

The CEO of Cloudflare, MatthewPrince, joined the discussion in a tweet, commenting, “We are aware that Okta may have been compromised. There is no evidence that Cloudflare was compromised. Okta is merely an identity provider for Cloudflare. Thankfully, we have multiple layers of security beyond Okta and would never consider it as a standalone option.”

Lapsus$ is a hacker group that has quickly made a name for itself, allegedly successively breaking into the systems of high-profile companies to steal information and threaten to release it online if extortion payments are not made. Recent burglaries linked to the group include those at SamsungNvidia and Ubisoft.

A screenshot was shared on Sunday suggesting an alleged Microsoft misdemeanor may have taken place, possibly via an Azure DevOps account, although the post has since been deleted. Microsoft is investigating the incident.

Based in San Francisco, Okta is a public company with thousands of customers, including numerous technology providers. The company counts FedEx, Moody’s, T-Mobile, JetBlue and ITV among its customers.

“Lapsus$ is known for extortion and threatens to release sensitive information if victims’ demands are not met,” commented Ekram Ahmed, spokesman for Check Point. “The group has boasted about breaking into Nvidia, Samsung, Ubisoft and other companies. How the group managed to penetrate these goals has never been entirely clear to the public. If true, Okta’s plunge could explain how Lapsus$ has been able to achieve its recent successes.”

Okta has provided more details on the cybersecurity incident. In an updated statement, the technology provider said, “The Okta service has not been breached and remains fully operational. There are no corrective actions to be taken by our customers.”

Okta also explained that during the January incident, the affected customer support engineer’s account was quickly suspended while an outside cyberforensics firm investigated the issue.

“We received a report from the forensics firm this week after the contractor’s investigation was complete,” Okta said. “The report showed that there was a five-day window between January 16 and January 21, 2022 in which an attacker had access to a support rep’s laptop.

The company commented, “The potential impact on Okta customers is limited to support engineer access. These technicians cannot create or delete users, nor download customer databases. However, the reps have access to limited data – such as Jira tickets and user lists – shown in the screenshots. Support engineers can also facilitate password resets and multi-factor authentication for users, but are unable to obtain these passwords.”

Okta’s investigation is ongoing. The company added that there is no impact to Auth0, HIPAA, or FedRAMP customers.

Leave a Reply

Your email address will not be published.