Lapsus$ threat actor that made headlines after compromising authentication firm Okta has been particularly active recently. It has also been very public about its attacks.
It seems that Lapsus$ accessed Okta’s internal environment in late January. Authentication service remains fully functional, and the company is contacting customers (approximately 2,5% of them) who have potentially been impacted and whose data may have been viewed or acted upon.
Before announcing the Okta breach, Lapsus$ had threatened to breach Microsoft. The same day that it released screenshots supporting the Okta hack claim, Lapsus$ also dropped what it claims to be an incomplete Bing (45%), Bing Maps (90%), and Microsoft virtual assistant Cortana (45%) source code.
In recent weeks, Microsoft has been tracking what it called a large-scale social engineering and extortion campaign. It attributed the activity to Lapsus$ (DEV-0537).
“Unlike most activity groups that stay under the radar, DEV-0537 doesn’t seem to cover its tracks,” Microsoft noted.
Indeed, not only do they advertise and tease their followers about the upcoming leaks, but they are also very public about their intent to buy credentials from employees of target organizations. This week it even opened its Telegram chat to everyone who wanted to discuss the Okta leak.
Microsoft said that Lapsus$ deploys several tactics that other threat actors use less frequently.
“Their tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets,” Microsoft said in its latest blog post.
Lapsus$ focuses on compromising user identities to gain initial access to an organization. Compromised credentials allow the threat actor to access internet-facing systems and applications, such as virtual private network (VPN), remote desktop protocol (RDP), virtual desktop infrastructure (VDI), or Identity providers (including Azure Active Directory, Okta).
In some cases, Lapsus$ first compromised non-work-related accounts to gain access to corporate networks.
“Given that employees typically use these personal accounts or numbers as their second-factor authentication or password recovery, the group would often use this access to reset passwords and complete account recovery actions,” Microsoft detailed.
It seems that Lapsus$ advertisements that they wanted to buy credentials were successful. Microsoft found instances where employees of a target organization helped Lapsus$ gain access to a company.
“For a fee, the willing accomplice must provide their credentials and approve the MFA prompt or have the user install AnyDesk or other remote management software on a corporate workstation allowing the actor to take control of an authenticated system,” Microsoft said.
Lapsus$ actors also performed a SIM-swapping attack to access a user’s phone number before signing into the corporate network.
Compromised Microsoft account
As mentioned above, Lapsus$ said it had exfiltrated a portion of Microsoft source code. The company has acknowledged that there was a compromise.
“Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity,” it said.
Microsoft highlights that it does not rely on code secrecy as a security measure, and viewing source code does not lead to elevation of risk.
“The tactics DEV-0537 used in this intrusion reflect the tactics and techniques discussed in this blog. Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.”