On Tuesday, Microsoft publicly acknowledged that the LAPSUS$ hacking group had achieved “limited access” to its systems, coinciding with a revelation from Okta, an identity authentication services provider, indicating that nearly 2.5% of its customer base may have been affected by the breach.
Microsoft’s Threat Intelligence Center (MSTIC) confirmed that no customer code or data was breached during this incident. The vulnerability was traced back to a single compromised account, which has since been secured to preempt any further malicious activity.
Prior to this breach, Microsoft had already been monitoring LAPSUS$ under the codename DEV-0537. The company asserted that it does not depend on the secrecy of its source code as a security measure, emphasizing that exposure to the code does not inherently elevate risk levels.
The rapid public disclosure of the breach allowed Microsoft’s security teams to act swiftly, interrupting the hackers’ operations and mitigating potential larger-scale impacts. Meanwhile, Okta identified the breach as stemming from the compromised laptop of a customer support engineer associated with a third-party vendor, which provided attackers access for a five-day period between January 16 and 21. It is important to note that the Okta service itself remains fully operational.
According to a post-mortem analysis by Cloudflare, simply changing a user’s password would not suffice in this scenario, as attackers would also need to modify the hardware authentication tokens associated with the user. Unauthorized access could thus be traced through these hardware identifiers.
Notably, there has been criticism directed at Okta for delaying the public disclosure of the breach for two months, which prompted the hacking group to question the rationale behind this timeline in their counter-statements. LAPSUS$ claimed that Okta had stored Amazon Web Services (AWS) keys in Slack, raising concerns about excessive privileges granted to support engineers within that platform.
LAPSUS$ has been aggressive in its targeting, conducting a series of high-profile attacks since its emergence in July 2021, with victims including major corporations and government entities across various sectors. Their typical methodology involves infiltrating networks, exfiltrating sensitive data, and subsequently demanding ransom, often threatening to disseminate stolen materials via platforms like Telegram.
Microsoft characterizes LAPSUS$ as adhering to a “pure extortion and destruction model,” dispelling any claims that the group relies on ransomware payloads or attempts to obliterate digital trails.
Methods employed by the group are varied, including sophisticated social engineering techniques such as SIM-swapping, accessing employees’ personal email accounts, and infiltrating important crisis-response meetings to issue extortion demands. They have also been known to deploy the RedLine Stealer and acquire credentials from dark web marketplaces to establish footholds within target systems.
To strengthen defenses, Microsoft advocates for businesses to implement robust multi-factor authentication that doesn’t rely on SMS, as well as modern authentication practices like OAuth or SAML. Regular reviews of user activity for irregularities and monitoring communication channels for unauthorized participants are also essential steps in bolstering protection against future incursions.
As the dust settles from this breach, LAPSUS$ claims to be taking a hiatus, announcing on their Telegram channel that some members would be on vacation until the end of March 2022, indicating a brief pause in their activities.
