Exploring New Attack Approaches. The Case of Microsoft and Okta

Microsoft and Okta suffered data breaches after a cybercrime group declared them as targets. Learn how the unique attack approach contributed to compromising the tech giants.

In March 2022, the cyberworld was concerned with a cyberattack on a global technology giant Microsoft and identity and access cloud services provider Okta Inc. Both companies confirmed suffering data breaches after a cybercrime group Lapsus$ announced targeting them. Both claim the impact is limited. And both admitted the unexpected nature of the cyberattack. 

Cybersecurity firms like Microsoft and Okta make the backbone of a customer-organization’s cybersecurity posture. So, even a single idea of a successful hacker attack on such a technological giant is disturbing. The recent data breaches demonstrate that even security service providers with significant budgets dedicated to information and systems protection can easily become victims of well-organized cybercrime groups. Additionally, there is an alarming fact of applying the new ways and methods of cyberattack. 

In this article, we try to figure out the details of the cyberattacks and their implications for the technological giants. 

Lapsus$ Announced its Attack

Lapsus$ cybercriminal group, also known as DEV-0537, announced an extensive cyberattack in March 2022. The criminals announced they had gained access to the source code of Microsoft products and compromised clients’ personal data held by Okta, a San Francisco-based company that manages user authentication services for more than 15,000 corporate clients worldwide.

On their Telegram, criminals have shared sensitive screenshots with Microsoft and Okta’s internal projects. The data leaked by Lapsus$ was comprised of a 37 GB archive, showing their access to Microsoft’s source codes Bing, Maps, and Cortana. Concluding their announcement, hackers condemned the security measures of Okta, accompanied by screenshots of Okta’s sensitive accounts, such as Cloudflare, and many in-house channels.

Lapsus$ cybercriminal group is known for using a pure extortion and destruction cyber attacks model without deploying ransomware. They are also famous for taking over individual user accounts at cryptocurrency exchanges. The primary targets of Lapsus for a long time were organizations in South Africa and the United Kingdom but they expanded their goals to global targets, including organizations in government, technology, telecom, media, retail, and healthcare sectors. Thus, Microsoft and Okta have become “perfect targets” to fulfill these ambitions. 

What did Microsoft Say?

Microsoft needs no introductions and, therefore, even a single idea that such a technological giant could fall victim to a cyber group is terrifying. Soon after the Lapsus$’s announcement, Microsoft has confirmed suffering the cyberattack but reported that the attackers got “limited” access to an organization’s account. At the same time, Microsoft noted that it does not rely on the secrecy of code as a security measure and assured its clients that the exposed code “does not put their personal data at risk”.  Microsoft cybersecurity response teams reported they have managed to remediate the compromised account and prevent further malicious activity. Furthermore, Microsoft Intelligence Team published an announcement on the cybersecurity incident and shared new detection, hunting, and mitigation information. Microsoft cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity. 

What was Okta’s Response?

After the incident investigation, Okta in its official statement, claimed that the attack covered a five-day period, between January 16 and 21 of 2022, when the cyber environment of Okta’s vendor Sitel was compromised. The threat actor controlled a workstation used by a Sitel support engineer with access to Okta resources. During that window of time, Lapsus$ criminals accessed tenants of 366 active customers and viewed additional information in other applications like Slack and Jira. The threat actor was unable to perform any configuration changes successfully, MFA or password resets and did not succeed in direct authentication to any Okta accounts. 

What’s Wrong with Microsoft/Okta Responses to the Incident?

Although the incident outcomes were reported as more or less satisfying both for the victims and their clients, some wake-up calls still exist. The are three main things to consider about the real outcomes of the attacks on such “heavy” targets. 

First, even if the hackers did not succeed in compromising a considerable amount of personal data, publishing sensitive screenshots mean that they can gain access to Microsoft’s, Okta’s, or any other organizations’ systems and customer accounts. Furthermore, the screenshots demonstrated by Lapsus$, show the ability to reset passwords and access an admin panel with elevated privileges. Thus, a single idea that security solution companies are breached is really disappointing.

The second idea, which is also important about the Microsoft/Okta incident, is that Lapsus$ does not seem to cover its attacks like most activity groups do. They go as far as announcing their attacks on social media and advertising their intent to buy credentials from employees of target organizations. It stands to reason that security solution companies and their clients should be alert.

Lastly, Lapsus$ is a cybercriminal group known for its unique attack approach. They use extortion and destruction to demand money without the need for ransomware. Furthermore, Lapsus$ is also infamous for recruiting employees as insiders to gain access to the internal networks and systems. Therefore, cybersecurity specialists should investigate the unique attack patterns and be ready to prevent, detect, and respond to them. 

New Attack Patterns 

Early observed attacks by Lapsus$ targeted cryptocurrency accounts to compromise crypto wallets. As the criminals expanded their attacks, telecommunication, higher education, and government organizations became the main targets. Lapsus$ understands the interconnected nature of identities and trust relationships in modern technology ecosystems. Therefore, it targets security solutions and other companies to leverage their connections with their customers, partners, and suppliers. By doing this, Lapsus$ uses the new attack patterns that include:

  • Access to Networks: The cybercriminal group uses social engineering tactics to gather employees, help desk, and supply chain information. To compromise user accounts, various techniques are used from Redline password stealers and public repositories to purchasing login credentials and recruiting insiders, and. 
  • Monitoring: Using the account credentials, LAPSUS$ gains access to an organization’s network and monitors the environment, exploiting vulnerabilities on internal servers to uncover additional credentials for gaining access to higher privileged accounts.
  • Exfiltration and Extortion: Being able to avoid sophisticated detection techniques, Lapsus$ exfiltrates sensitive data for the purpose of extortion. Using NordVPN access points, Lapsus$ gains access to the victim’s cloud tenants. Criminals then create global administrator accounts to gain control and eliminate other administrator accounts. They also often erase the stolen data from the victim’s cloud after exfiltration.

To Conclude 

The Lapsus$ attacks on Microsoft and Okta demonstrate that reputable cybersecurity solution companies can also be breached. Although both Microsoft and Okta stated hackers did not cause significant damage, a single fact of compromising systems of such technological giants imposes a significant threat. Furthermore, the Microsoft/Okta case approved the assumption that cybercriminals are constantly inventing new sophisticated attack methods. And this is what many cybersecurity firms should be ready to address. 

To stay updated on the recent cybersecurity-related topics, keep reading our blog or contact the Planet 9 team. We’ll be happy to assist!

Website: https://planet9security.com

Email:  info@planet9security.com

Phone:  888-437-3646


Leave a Reply