🗞️ Subscribe now: get Express Premium to access the best election reports and analysis 🗞️
The response comes after other top companies such as Nvidia, Samsung, Ubisoft, Okta, etc. would have been targeted by the same group. Okta initially denied a breach, but later released a statement saying it believed nearly 366 of its customers were likely affected.
Lapsus$, based in South America, is known for publicly posting details of its hacks and sharing screenshots of stolen data on platforms such as Telegram and Twitter. Here’s a look at what this latest cybersecurity problem is.
How was Microsoft hacked?
The Lapsus$ group claimed this week that it stole data from Microsoft, adding that it had accessed source code for key Microsoft products Bing, Cortana and Bing Maps. Microsoft, however, said that while no customer code or data was involved, their investigation found that only one account had been compromised, granting hackers limited access.
The statement adds, “Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity.” The company said it does not consider source code secrecy a security threat and seeing it does not mean increased risk to the products.
“Our team was already investigating the compromised account based on threat intelligence when the actor publicly revealed his intrusion. This public disclosure intensified our action, allowing our team to step in and interrupt the actor in course of operation, thereby limiting a wider impact,” the statement read.
Who else was targeted by Lapsus$? Why is the attack on Okta in the spotlight?
Microsoft said it observed that Lapsus$ targeted multiple organizations. Lapsus$ has also posted information about these hacks on its official Telegram channel and other social media accounts. The group does not hesitate to take credit for these attacks, unlike other groups who prefer to stay under the radar.
According to reports, NVIDIA, Samsung, Ubisoft and Okta are among the organizations targeted by hackers. The Okta hack in particular is concerning as the San Francisco-based company provides online authentication services to several top players such as FedEx Corp, T-Mobile, Moody’s Corp and Coinbase Global and even the service provider Cloudflare cloud.
Okta said around 366 of its customers were affected, although it insisted the attackers never had direct access to their overall system. According to Okta’s statement, the hackers gained access through “a machine that was connected to Okta.” The attack was detected as part of a failed attempt to compromise a customer support engineer’s account in January 2022, and Okta alerted those at risk as part of the process at the time.
The statement claims the scenario is equivalent to “walking away from your computer in a cafe, in which a stranger has (practically in this case) sat in front of your machine and is using the mouse and keyboard.”
According to Lotem Finkelsteen, Head of Threat Intelligence and Research at Check Point Software, “If true, the breach at Okta may explain how Lapsus$ was able to achieve its recent chain successes. Thousands of businesses use Okta to secure and manage their identities. Using private keys retrieved from Okta, the cybergang can gain access to corporate networks and applications. Therefore, a breach at Okta could have potentially disastrous consequences.
Okta’s services are used by others for single sign-on and multi-factor authentication to allow other users to log into online apps and websites.
Meanwhile, Nvidia said it was “still working to assess the nature and scope of the event.” The incident has been labeled a ransomware attack.
Regarding Samsung, the group had posted screenshots showing that it had access to almost 200 GB of data, including the source code used by Samsung for encryption and biometric unlocking functions on Galaxy devices.
Samsung’s statement said no personal data belonging to employees or customers was stolen, although it said there was a security breach related to “internal company data”. . The statement acknowledged that the breach involved source code related to Galaxy devices.
How exactly did Lapsus$ manage to carry out these attacks?
Microsoft’s blog post gave some clues as to how these attacks took place, although the group appears to have deployed a wide variety of methods. The blog post refers to Lapsus$ as DEV-0537, and according to Microsoft, the hackers are relying on “large-scale social engineering and extortion campaigns against multiple organizations…”
In social engineering attacks, cybercriminals attempt to trick individuals into revealing critical personal information via phishing attacks. This information can then be used to compromise other accounts. For example, they can ask someone to complete a survey revealing personal information such as their mother’s maiden name, favorite food or date of birth, etc. All of this information can be used to guess passwords or even answers to security questions for an account. .
According to Microsoft, the group relies on a “model of pure extortion and destruction without deploying ransomware payloads”. It started by targeting organizations in the UK and South America, but has expanded globally. Their targets cover a wide range of sectors: government, tech telecommunications, media, retail and healthcare. It also attacks cryptocurrency exchanges to steal cryptocurrency holdings.
Microsoft says the group also relies on some tactics less commonly used by other threat actors. These include methods such as “swapping SIM cards to take over accounts, accessing personal email accounts of employees of target organizations”.
In some cases, it has even paid employees or vendors of an organization to gain access to privileged networks and systems. Another example is the group calling an organization’s help desk to reset a target’s credentials. The group used other information gathered about the target to trick the help desk into giving access.
For now, Microsoft has recommended companies rely on multi-factor authentication (MFA) to protect against such attacks. He also advises against weak MFA factors such as text messages, as these are susceptible to SIM switching. He also cautioned against simple voice approvals, push notifications, or even “secondary email”-based MFA methods.
He also recommends making employees and IT help desks more aware of social engineering attacks.
