Lapsus$ Data Kidnappers Claim Snatches From Microsoft, Okta

by | Mar 23, 2022 | News

Lapsus$ data Microsoft Okta

Post Views: 322

Patreon

Reading Time: 2 Minutes

Lapsus$ shared screenshots of internal Okta systems and 40Gb of purportedly stolen Microsoft data on Bing, Bing Maps and Cortana.

 

 

 

Both Microsoft and Okta are investigating claims by the new, precocious data extortion group Lapsus$ that the gang has breached their systems.

Lapsus$ claimed to have gotten itself “superuser/admin” access to internal systems at authentication firm Okta. It also posted 40GB worth of files to its Telegram channel, including screenshots and source code, of what the group said is Microsoft’s internal projects and systems.

The news was first reported by Vice and Reuters.

Okta confirmed on Tuesday that it had been hit and that some customers may have been affected. The scope of the breach isn’t yet clear, but it could be huge: According to Okta, it has hundreds of millions of users that use its platform to provide access to networks, including employees at thousands of large companies such as Fedex, Moody’s, T-Mobile, Hewlett Packard Enterprise and GrubHub, to name a few.

A Microsoft spokesperson told Threatpost that its investigation found that an account had been compromised, “granting limited access.” Its cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity, the spokesperson said.

“We do not rely on the secrecy of code as a security measure and viewing source code isn’t tied to elevation of risk,” Microsoft said. The Microsoft Threat Intelligence team on Tuesday published a blog detailing observed activity of the Lapsus$, which Microsoft tracks as DEV-0537.

 

‘Very Worrisome’ Screenshots

 

The purported Okta screenshots included one that appears to show Okta’s Slack channels and another with a Cloudflare interface. In an accompanying message, the group said its focus was “ONLY on Okta customers.”

Bill Demirkapi,  an independent security researcher, tweeted that the screenshots “are very worrisome. … LAPSUS$ appears to have gotten access to the @Cloudflare tenant with the ability to reset employee passwords.”

Cloudflare announced on Tuesday that it’s not up for risking its employees’ Okta credentials. The company, which uses Okta for employee authentication, is resetting its employees credentials, Co-founder and CEO Matthew Prince said on Twitter, “out of an abundance of caution.”

 

 

 

See Also: Complete Offensive Security and Ethical Hacking Course

 

 

 

Solutions

 

 

Breach Dates to January

 

Demirkapi noted another scary thing about the screenshots: Namely, they indicate a date of Jan. 21, 2022. If the date is correct, it suggests that Okta “failed to publicly acknowledge any breach for at least two months,” he said.

 

 
 
 

 

 

Yes, the dates could mean that Lapsus$ has had access to Okta for months, but then again, they could instead indicate that Lapsus$ enjoyed a brief romp before it got kicked out. The latter is the case, Okta CEO Todd McKinnon.

On Tuesday, the CEO tweeted that in January 2022, Okta detected an attempted compromise of “a third-party customer support engineer working for one of our subprocessors” but that “the matter was investigated and contained by the subprocessor.”

Okta believes the screenshots Lapsus$ shared online are connected to the January incident. “Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January,” McKinnon said.

 

 

See Also: Offensive Security Tool: Scapy

 

Did Rogue Employees Pitch In?

 

If the dates are accurate, it means that Lapsus$ may well have been successful when it put up a “help wanted” notice on its Telegram channel on March 10. The group posted that it recruiting company insiders – including those at Microsoft; other big software/gaming companies such as Apple, IBM or EA; telecoms such as Telefonica, ATT; and more – to help it carry out its dirty work.

From its March 10 Telegram post:

“We recruit employees/insider at the following!!!! … TO NOTE: WE ARE NOT LOOKING FOR DATA, WE ARE LOOKING FOR THE EMPLOYEE TO PROVIDE US A VPN OR CITRIX TO THE NETWORK, or some anydesk” – references to technologies that the cybercriminals could use to penetrate targets’ networks with insiders’ help.

 

Data on Bing, Bing Maps, Cortana Allegedly Stolen

 

On Monday, Lapsus$ began to circulate a 10GB compressed archive that purportedly contains internal data on Microsoft’s Bing search engine and Bing Maps, along with the source code to the company’s voice assistant software Cortana.

The leaked data is dated March 20, 2022.

“Bing maps is 90% complete dump. Bing and Cortana around 45%,” Lapsus$ wrote on its Telegram channel.

Microsoft acknowledged the claims and said that it’s investigating.

 

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

 

 

 

See Also: Hacking stories: MafiaBoy, the hacker who took down the Internet

 

Source: threatpost.com

Full post

 

 

 

 

 

Merch

Share This