With cybersecurity threats on the rise, attackers are using more sophisticated techniques to steal sensitive information. From small companies to large businesses, every tech company can be victim of cyber-attacks.
It is believed that large businesses to have robust security posture. However, it is surprising that even after having a stronger security posture also become a victim of cyber-attacks!
Recently high-profile companies like Microsoft, Okta, Nvidia, Ubisoft, Samsung were attacked by a data extortion hacking group known as Lapsus$. The Lapsus$ hacker group aims to breach the major companies and demand substantial ransom payments for confidential information such as source code and internal documents.
First Microsoft, Then Targeted Okta!
Microsoft has confirmed that the Lapsus$ compromised it and gained limited access to an account. The hackers posted a torrent file declaring to hold the source code from Cortana (45%), Bing (45%), and Bing Maps with 90% complete dump. The Microsoft support team quickly took action to prevent further activity.
Microsoft also listed the techniques used by the Lapsus$ group for extortion. Some of them include,
- Phone-based social engineering: SIM swapping to provide account takeover, breaking into personal email accounts of employees and target organizations to access credentials and multi-factor authentication approval. In addition, they also intervened the ongoing crisis-communication calls of their targets.
- Lapsus$ is using vulnerabilities in Confluence, JIRA, and GitLab to escalate privileges.
- Lapsus$ hackers are also calling helpdesks to get password reset and stealing Active Directory databases. Additionally, they use NordVPN to masquerade the geography of the target.
- They had internal messaging services to know how targets were reacting.
Microsoft named this attack DEV-0537. It concludes that DEV-0537 enters the victim’s state of mind and knowledge of the intrusion and decides to initiate extortion demands.
The LAPSUS$ ransomware group just posted an image of what looks to be Microsoft’s internal DevOps platform… yikes… pic.twitter.com/PFdlezyDW9
— Bill Demirkapi (@BillDemirkapi) March 20, 2022
Followed by Microsoft, Okta also confirmed that the Lapsus$ compromised it. Okta provides an enterprise identity and access management. The Lapsus$ accessed information of 2.5% (represents 366 organizations) of Okta customers. Okta says that the attempt to exploit was made in January and Okta disclosed the breach on March 22.
However, Lapsus$ claimed that it has access to a support engineer’s laptop from Okta. It posted some screenshots of claiming access to the Okta systems. Okta quickly started recovering the affected systems to prevent further damage.
Other high-profile victims were Samsung and Ubisoft. Samsung claims a data breach occurred where the source code related to Samsung Galaxy smartphones was leaked. However, attackers did not steal any personal information.
Ubisoft a video game developer, was attacked by the Lapsus$ group. But there was no user data theft or exposure. Therefore, it reveals the “security incident” and forces the company-wide to a password reset.
Impact on End Customers of Affected Companies
Impact on Okta Customers
Upon Okta’s investigation from the Lapsus$ breach, 15000 customers were affected. Okta’s Chief Security Officer David Bradbury identified the third-party provider as Sitel, providing Okta with contract workers for customer support. Despite an investigation launched by a leading forensic firm, Okta did not receive any report till March 17.
Upon this reflection, Okta regrets not moving swiftly to understand Lapsus$ implications. In addition, Okta updated that the service is fully operational and declared that no corrective actions are needed for their customers.
However, not every tech industry was reassured by Okta’s update.
Lapsus$ specified that the only focus to attack was on Okta customers, and the potential impact would not be limited. Lapsus$ claimed that resetting passwords and MFA would aid in a complete compromise of the clients. In addition, it also claimed that Okta is storing AWS keys within slack.
Also, investors have hit hard on Okta. The company’s shares are down by 15% since the Lapsus$ attack.
#Okta now state that up to 2.5% of its customers were impacted by the Lapsus$ incident. According to its website, Okta has >15k customers which means 375 or more companies have been impacted. *How* they’ve been impacted remains unclear. 1/2https://t.co/iMsY5IOqei
— Brett Callow (@BrettCallow) March 23, 2022
The impact is unclear with Okta’s customers. However, Okta has identified the affected customers and has already reached out directly through email. In addition, Okta has apologized for the inconvenience and uncertainty the attack has caused.
Considering the long-term impact of this attack, this incident will not have a long-lasting effect on Okta. Okta will use a ton of money on analytics, instrumentation and develop a strong security posture.
Impact on Microsoft customers
Microsoft explained that viewing source code does not lead to risk elevation, and secrecy of code cannot be the security measure to protect it. Microsoft was already aware of the compromised account and was investigating before the Lapsus$ announcement. It moved swiftly and interrupted the bad actor in the middle of the operation. This resulted in limiting the impact.
UK Teen Living with Mom is Suspected Lapsus$ Mastermind!
Surprisingly, when tech companies investigated the notorious activities, the culprit turned out to be a 16-year-old teenager from Oxford, England. It is believed that the English boy is behind most of the intrusions. The teen uses the online title “White” and “breachbase.” He has advanced hacking skills that researchers believe to be automated activity.
Bloomberg got the lead to track down the hacker’s personal information, including the home address details. The woman at the door told the outlet via an intercom system that she was the hacker’s mother and unaware of her son’s ties with the Lapsus$ hacker group.
The woman then rejected all the interview requests on behalf of her son, saying she planned to report the situation to the police. Bloomberg had to withhold the suspected hacker’s name because he is a minor, and authorities have yet to charge him with the cybercrime.
SCOOP: A 16 year old living in his mother’s house in Oxford, England is suspected to be the mastermind behind many of the hacks conducted by hacking group Lapsus$, per multiple sources involved in various investigations of the hacking group. Full story to follow.
— William Turton (@WilliamTurton) March 23, 2022
Researchers are investigating on behalf of the organizations suspected that a Brazilian teenager is also involved in these attacks. Researchers did not disclose all details, but they mentioned at least seven members in the extrusion group.
BREAKING: Oxford teen accused of being multi-millionaire cyber-criminal as police arrest 7 teenagers linked to the Lapsus$ gang. https://t.co/LVXeFBjKKi
— Joe Tidy (@joetidy) March 24, 2022
Could You Be the Next Victim?
When it comes to cyber-attacks, Lapsus$ is like many cybercriminal activities that exploit the vulnerable assets of the organizations. It started its hacking journey with the Brazilian Ministry of Health, now targeting high-profile companies. There is no time left where Lapsus$ might target small-scale organizations.
It is wise to take preventive actions to protect the organization’s security posture. Therefore, using an excellent cyber security tool might help organizations protect the environment from potential threats.
SecPod SanerNow is a Continuous and Automated Vulnerability Management platform. SanerNow facilitates rapid scans, accurate detection of vulnerabilities and increases the speed of vulnerabilities assessment and instantly remediates them. This will help organizations to detect the flaws and take real quick action to mitigate them.
As it applies fixes to mitigate vulnerabilities and helps automate that into a routine. SanerNow consolidates multiple use cases into a single console, so you don’t have to scramble through a maze of tools. It will result in organisations to stay a step ahead of attackers.
Prevention is better than cure!
Cyberattacks must be prevented. SanerNow paves the way, like no other.