Cyber extortion group Lapsus$ is on a roll, this time claiming to have compromised global technology giant Microsoft. And if that wasn’t enough, the threat actors are also claiming the compromise of one of the biggest identity management companies, Okta.
The malicious group seems to have surprised the tech community by going after some of the biggest names in the industry in recent weeks, including NVIDIA, Samsung, Ubisoft, Vodafone, Mercado Libre and others.
Initially considered a ransomware group because it demands a ransom (financial or otherwise) for infiltrating systems and stealing data, Lapsus$ doesn’t, in fact, deploy ransomware. Instead, it reportedly relies on stolen credentials/cookies purchased from dark web portals frequented by cybercriminals.
These tactics, techniques, and procedures (TTPs) haven’t been confirmed. But there’s a possibility that Lapsus$ is the same group that used these TTPs to hack and leak the source code of EA FIFA 21 back in June 2021.
However, infosec professionals are bewildered at cyber extortion operations of Lapsus$ that do not adhere to any conventional malicious group. For instance, Marcus Hutchins, aka MalwareTech, a security researcher known for discovering the kill switch for the widespread WannaCry ransomware attack in 2017, tweeted the following:
â€œThere’s no group that confuses me as much as LAPSUS. They appear to be kids but are claiming responsibility for hacking top tier companies like Nvidia, Microsoft, and Okta. IDK how a group can be that competent and incompetent at the same time. I want it to be a PsyOp so bad.â€
One of the reasons Hutchins and others are puzzled is because Lapsus$ was boasting of gaining access to Microsoft’s internal DevOps environment a couple of days ago, even as the source code was being exfiltrated, as noted by Bill Demirkapi, a security engineer at Zoom. Demirkapi was also the first to identify the Microsoft breach by Lapsus$.
The LAPSUS$ ransomware group appear to be incredibly inexperienced with OPSEC. They posted their message boasting about access to Microsoft’s internal DevOps environment *while still exfiltrating source code*. We can tell by looking at the timestamp of the files in their leak. ðŸ¤¦â€â™‚ï¸ pic.twitter.com/AryXJS12A1Opens a new window
â€” Bill Demirkapi (@BillDemirkapi) March 22, 2022Opens a new window
â€œLAPSUS$ is at it again. This group really worries me- they seem unprofessional but very competent,â€ wrote Dave Maasland, CEO at ESET Nederland. â€œThe thing I worry about the most is the potential supply chain attacks these kind of groups could potentially cause.â€
Microsoft Leak by Lapsus$
Lapsus$ has reportedly stolen highly-sensitive information from an internal Azure DevOps server. The stolen data includes source code for the search engine Bing (â€˜Bing-Source’) as well as its user experience (â€˜Bing_UX’), virtual smart assistant for Windows, Cortana (â€˜Cortana’); and others such as mscomdev and msblox.
Normally you wouldn’t give cred to a snapshot but Lapsus has breached:
Credible so far and rep is at stake.@msftsecurityOpens a new window @MicrosoftOpens a new window #cybersecurityOpens a new window #infosecOpens a new window #LapsusOpens a new window pic.twitter.com/1QSQh4i22COpens a new window
â€” Dominic Alvieri (@AlvieriD) March 20, 2022Opens a new window
Lapsus$ initially posted a screenshot on their Telegram channel of these repositories stored in an Azure account but later deleted them and said: â€œDeleted for now will repost later.â€
Microsoft Source Code Leak Screenshot by Lapsus$ | Source: Telegram
The total size of the leak is unconfirmed though BleepingComputer was told it amounted to 37 GB. Compared to this, NVIDIA lost 19 GB of data, while Samsung was robbed of 190 GB of internal data.
Lapsus$ hasn’t made any demands of Microsoft so far. However, if the past is any indication â€” the group demanded NVIDIA open-source its GPU drivers and disable crypto mining limiters, the hackers may issue similar demands with Microsoft.
If the screen grabs are indeed legitimate, threat actors may want a piece of the spoils stolen by Lapsus$ to scrutinize the source code of these globally used products for any exploitable vulnerabilities.
Okta Breach by Lapsus$
The breach at Okta is troubling, considering the company’s products and services are designed to keep the bad guys out. Okta is one of the largest single sign-on (SSO) vendors providing secure network and application accessibility to organizations worldwide. Okta’s SSO services allow users to access multiple apps and networks from a single window pane.
Another troubling fact is that Lapsus$ claims they have had access to Okta systems since January 2022, a fact acknowledged by Okta CSO David Bradbury today. â€œIn late January 2022, Okta detected an attempt to compromise the account of a third-party customer support engineer working for one of our sub-processors,â€ Bradbury wrote.
â€œWe believe the screenshots shared online are connected to this January event.â€ Earlier today, Lapsus$ posted screenshots of what seemed to be Okta customer data accessed by the threat group with â€˜superuser/admin’ privileges.
This is our 3rd attempt at sharing the 5th â€“ 8th photo. LAPSUS$ displayed a lot of sensitive information and/or user information, so much so we end up missing to censor some.
Photos 5 â€“ 8 attached below. pic.twitter.com/KGlI3TlCqTOpens a new window
â€” vx-underground (@vxunderground) March 22, 2022Opens a new window
Okta’s customer base is quite extensive and spread across multiple industries. So, when Lapsus$ mentioned its emphasis is â€œonly on Okta customersâ€ in their Telegram channel, alarm bells rang in cybersecurity circles. Experts are now worried that a massive supply chain attack is imminent.
Shane Curran, CEO at Evervault, told Toolbox, â€œOkta currently has hundreds of millions of users and is preparing to scale users rapidly. If confirmed, this breach could wreak havoc on businesses worldwide that rely on the service to keep them safe and could prove to be a nightmare scenario for Okta and its customers.
â€œIt highlights that no matter how secure a company is, it’s still possible for determined hackers to bypass its defenses. This is why organizations need to secure their data, not just their networks. They must understand the strength of their encryption and whether they’re inadvertently storing information in a way that makes it easy for hackers to access sensitive information, not just about themselves but their partners and customers.â€
Lesley Carhart, the director of ICS Cybersecurity Incident Response at Dragos, noted it might be a ploy to scare infosec professionals. She said, â€œRational brain says this was a logical supply chain compromise, but Galaxy Brain says the ultimate goal of this intrusion was to scare infosec professionals on Twitter off from implementing MFA.â€
Nevertheless, Cloudflare has already initiatedOpens a new window credential resetting for employees who have changed their Okta passwords in the last four months. The potential impact could be far more pervasive than this.
1. Share the information internally.
2. Collect and retain related logs.
3. Hunt logs for bad.
4. Rotate Okta privileged passwords.
5. Move on unless Okta reaches out to you that you are involved. Adjust DFIR to their context.
That’s about all you can do right now.
â€” Frank McGovern (@FrankMcG) March 22, 2022Opens a new window
It is important to note that Okta didn’t notify customers of a breach in January itself.
What Can We Further Expect from Lapsus$
Companies such as Apple, IBM, ATT, Telefonica, and Atento are now on Lapsus$’s radar. The group is reportedly actively recruiting insiders towards this end. So, besides purchasing credentials, Lapsus$ may also be in cahoots with company employees who may hold a grudge against their employer or be in it for the money.
Lapsus$ Recruitment Message
A theory floating around is that the prolificity of data leaks by Lapsus$ in these preceding weeks was because the group had access to Okta customer data for at least two months. They could be recruiting because they lost that access. In any case, Lapsus$ has previously said they have access to Vodafone data and recently mentioned they breached LG Electronics.
So even if the group has lost access to Okta’s systems, it may continue to leak the data it already has and target more global corporations.
UPDATE | March 23, 2022
Microsoft confirmedOpens a new window it was breached by Lapsus$ and said the group’s â€œtactics and objectives indicate this is a cybercriminal actor motivated by theft and destruction.â€ The company is tracking Lapsus$ as DEV-0537.
â€œNo customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access,â€ Redmond stated. â€œMicrosoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.â€
The company also assessed that Lapsus$ gains initial access through password stealers, purchasing credentials and session tokens from underground forums, encouraging insider threat by paying off employees, and searching code repositories for exposed credentials.
Okta also updated the impact of its breach by Lapsus$. The company said that â€œa small percentage of customers â€“ approximately 2.5% â€“ have potentially been impacted and whose data may have been viewed or acted upon.â€
2.5% of 15,000 Okta customers equals 375 organizations. The company stated the number to be 366. â€œThe sharing of these screenshots is embarrassing for myself and the whole Okta team,â€ Bradbury saidOpens a new window .
â€œOn January 20, 2022, the Okta Security team was alerted that a new MFA factor had attempted to be added to a Sitel customer support engineer’s Okta account. Although that individual attempt was unsuccessful, out of an abundance of caution, we reset the account and notified Sitel who engaged a leading forensic firm to perform an investigation,â€ Bradbury said.
Sitel is a sub-processor that provides it with contract workers for its Customer Support organization. The investigation report by Sitel, Okta said, was delivered on March 22, 2022. The company concluded that the screenshots leaked by Lapsus$ were stolen from a Sitel support engineer’s computer that an attacker had obtained remote access to using RDP.
â€œI am greatly disappointed by the long period of time that transpired between our notification to Sitel and the issuance of the complete investigation report. Upon reflection, once we received the Sitel summary report we should have moved more swiftly to understand its implications,â€ Bradbury added.