Microsoft and Okta confirm, detail impact of Lapsus$ gang’s attacks

Recent claims by the cyber extortion gang have been validated by Okta and Microsoft: Lapsus$ have managed to get their hands on some of Microsoft’s source code and have gained access to the laptop of a support engineer working for a third-party contractor for Okta, allowing them to potentially impact approximately 2.5% of the company’s customers.

Okta

After the gang published screenshots from Okta’s internal systems and said that they focused their incursion on Okta customers, the company’s CEO first said that, in late January 2022, they detected an attempt to compromise the account of a customer support engineer working for one of their subprocessors, and that “there is no evidence of ongoing malicious activity beyond the activity detected in January.”

Later that day, David Bradbury, Okta’s Chief Security Officer, first shared that “there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop,” that “the potential impact to Okta customers is limited to the access that support engineers have,” and finally, that “a small percentage of customers – approximately 2.5% – have potentially been impacted and whose data may have been viewed or acted upon.”

Okta’s main product is a popular identity platform that enables single sign-on to many cloud services. The company has, by their own count, over 15,000 customers, so the compromise might end up affecting nearly 400 of them. Okta did not name them and did not say what customer data may have been accessed.

The gang has disputed parts of Okta’s statements.

As the situation is still developing, new revelations are sure to come. In the meantime, Microsoft has shared extensive details about Lapsus$ group’s tactics, techniques and procedures.

Microsoft

Microsoft tracks Lapsus$ as DEV-0537 and confirmed that the gang does not use ransomware – for them it’s all about extortion and destruction.

“DEV-0537 started targeting organizations in the United Kingdom and South America but expanded to global targets, including organizations in government, technology, telecom, media, retail, and healthcare sectors,” the company said, and confirmed that it was one of its targets.

“Our investigation has found a single account had been compromised, granting limited access,” they shared. The attackers haven’t been able to access customer code or data but did have access to the company’s own source code – something that Microsoft doesn’t consider a big deal, as it “does not rely on the secrecy of code as a security measure.”

“Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact,” the company concluded.

More generally, though, the company’s security teams have been tracking the gang’s activities, and have now shared some of the tactics Lapsus$ uses (as well as recommendations on how security teams can counter them).

“Unlike most activity groups that stay under the radar, DEV-0537 doesn’t seem to cover its tracks. They go as far as announcing their attacks on social media or advertising their intent to buy credentials from employees of target organizations,” they noted.

“DEV-0537 also uses several tactics that are less frequently used by other threat actors tracked by Microsoft. Their tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets.”

After gaining initial access via social engineering, compromised credentials and/or session tokens, and recruited company insiders, they perform reconnissance via publicly available tool and collaboration platforms to discover high-privilege account credentials or exploit privilege escalation vulnerabilities in Confluence, Jira, and GitLab.

“In some cases, DEV-0537 even called the organization’s help desk and attempted to convince the support personnel to reset a privileged account’s credentials. The group used the previously gathered information (for example, profile pictures) and had a native-English-sounding caller speak with the help desk personnel to enhance their social engineering lure. Observed actions have included DEV-0537 answering common recovery prompts such as ‘first street you lived on’ or ‘mother’s maiden name’ to convince help desk personnel of authenticity,” Microsoft researchers explained.

“Since many organizations outsource their help desk support, this tactic attempts to exploit those supply chain relationships, especially where organizations give their help desk personnel the ability to elevate privileges.”

The group exfiltrates targets’ data and uses it for future extortion or public release; sometimes there is no extortion attempt and the data is simply leaked.