The Lapsus$ group struck again. Lapsus is known for breaking into business networks and then extorting them. Sometimes they steal data and hold it hostage.
The ransomware group this week launched an attack on Microsoft and Okta.
Previously, the group has breached the Cybersecurity of many tech giants including Nvidia and Samsung in which nearly 200 Gigabytes of Samsung Source Code were leaked.
Microsoft stated that the hacker group Lapsus gained “limited access” to its networks, after a claim by the group that it stole source code for the Bing search engine and Cortana voice assistant.
While Okta, the San Francisco-based company that manages user authentication services for thousands of corporate clients, stated that the impact of the breach is 366 (approximately 2.5% of) customers whose Okta tenant was accessed by Sitel.
About Lapsus$ Group Attack
Some time ago, the group advertised that they wanted to buy credentials of their target company through employees or contractors that are willing to take part in its operation. For a fee, the willing accomplice must provide their credentials and approve the MFA prompt or have the user install AnyDesk or other remote management software on a corporate workstation allowing the actor to take control of an authenticated system.
Lapsus$ is known for claiming on social media to infiltrate a number of large tech companies. Its Telegram channel was the first to report this week’s Microsoft and Okta breaches.
Read Also : Anonymous Hacker Group Communicate With Russians Through Printer Attacks
According to the report, Microsoft may have been hacked, with 37 GB of Bing, Bing Maps, and Cortana source code stolen, while the group claimed to have gotten around 45 percent of the code for Bing and Cortana, and around 90 percent of the code for Bing Maps.
But Microsoft stated, “Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity.”
Moreover, Okto said LAPSUS$ remotely hacked a computer belonging to a customer support engineer contracted via Sitel, a third-party outsourcing agency.
“Our investigation determined that the screenshots, which were not contained in the Sitel summary report, were taken from a Sitel support engineer’s computer upon which an attacker had obtained remote access using RDP. This device was owned and managed by Sitel.”
What is Microsoft Saying?
Microsoft has identified LAPSUS$ activity and linked it to a threat group known as DEV-0537, which is known for using a pure extortion and destruction model without deploying ransomware payloads. The group began targeting organizations in the government, technology, telecom, media, retail, and healthcare sectors before expanding to global targets.
Microsoft affirmed “Unlike most activity groups that stay under the radar, DEV-0537 doesn’t seem to cover its tracks. They go as far as announcing their attacks on social media or advertising their intent to buy credentials from employees of target organizations.”
Read Also : Equiano Google’s Underwater Internet Cable To Give High Speed Internet To Togo
Furthermore, Microsoft Threat Intelligence Center (MSTIC) assesses that the objective of DEV-0537 is to gain elevated access through stolen credentials that enable data theft and destructive attacks against a targeted organization, often resulting in extortion. Tactics and objectives indicate this is a cybercriminal actor motivated by theft and destruction.
In some cases, DEV-0537 even called the organization’s help desk and attempted to convince the support personnel to reset a privileged account’s credentials
Report from Okto
Okta, based in San Francisco, helps employees of more than 15,000 companies securely access their networks and applications, a security breach at the company could have far-reaching implications across the Internet.
David Bradbury explained the situation in a blog post, Our investigation determined that the screenshots, which were not contained in the Sitel summary report, were taken from a Sitel support engineer’s computer upon which an attacker had obtained remote access using RDP. This device was owned and managed by Sitel. He explained further “The scenario here is analogous to walking away from your computer at a coffee shop, whereby a stranger has (virtually in this case) sat down at your machine and is using the mouse and keyboard. So while the attacker never gained access to the Okta service via account takeover, a machine that was logged into Okta was compromised and they were able to obtain screenshots and control the machine through the RDP session.”
Read Also : Regulation of Drones Across Africa
According to the forensic firm’s investigating the breach, the report indicated that the threat actor had access to the Sitel environment for five days between January 16 and 21, 2022, which was confirmed with analysis.
Bradbury added the threat actor would not have gotten “god-like access” since the application is built with the least privilege in mind to ensure that support engineers are granted only the specific access they require to perform their roles. They are unable to create or delete users. They cannot download customer databases. They cannot access our source code repositories.