© The Indian Express Pvt Ltd
Tags:
Journalism of Courage
Microsoft on Wednesday published a detailed cybersecurity blog confirming that its systems were breached by the hacker group Lapsus$. The post also states that Microsoft has observed a common thread of tactics being deployed to hack into the computer systems and networks of multiple organisations.
The response comes after other prominent companies such as Nvidia, Samsung, Ubisoft, Okta, etc were believed to have been targeted by the same group. Okta had initially denied a breach, but later released a statement saying it believed that close to 366 of its customers were likely impacted.
South America-based Lapsus$ is known for publicly posting details about their hacks and sharing screenshots of stolen data on platforms such as Telegram and Twitter. Here’s a look at what this latest cybersecurity issue is all about.
🗞️ Subscribe Now: Get Express Premium to access the best Election reporting and analysis 🗞️
The Lapsus$ group claimed this week that it has stolen data from Microsoft, adding that it had accessed source code for core Microsoft products Bing, Cortana, and Bing Maps. Microsoft, however, said that while no customer code or data was involved, their investigation found that a single account was compromised, thus granting limited access to the hackers.
The statement added, “Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity.” The company said it does not view the secrecy of source code as a security threat and that viewing it does not mean an increased risk to products.
“Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact,” read the statement.
Microsoft said they’ve observed Lapsus$ has targeted several organisations. Lapsus$ too has been posting about these hacks on their official Telegram channel and other social media accounts. The group does not shy away from taking credit for these attacks, unlike other groups, which prefer to stay under the radar.
According to reports, NVIDIA, Samsung, Ubisoft and Okta are some of the organisations the hackers have targeted. The Okta hack in particular is worrisome because the San Francisco-based company provides online authentication services to several prominent players such as FedEx Corp, T-Mobile, Moody’s Corp and Coinbase Global and even cloud services provider Cloudflare.
Okta stated that around 366 of its customers are impacted, though it insisted that the attackers never gained direct access to their overall system. According to Okta’s statement, hackers got access via “a machine that was logged into Okta”. The attack was detected as part of an unsuccessful attempt to compromise the account of a customer support engineer in Jan 2022, and Okta had alerted those at risk as part of the process at the time.
The statement claims the scenario is equivalent to one “walking away from your computer at a coffee shop, whereby a stranger has (virtually in this case) sat down at your machine and is using the mouse and keyboard.”
According to Lotem Finkelsteen, Head of Threat Intelligence and Research at Check Point Software, “If true, the breach at Okta may explain how Lapsus$ has been able to achieve its recent string successes. Thousands of companies use Okta to secure and manage their identities. Through private keys retrieved within Okta, the cyber gang may have access to corporate networks and applications. Hence, a breach at Okta could lead to potentially disastrous consequences.”
Okta’s services are used by other players for Single Sign-On and Multi-factor Authentication to let other users log in to online apps and websites.
Meanwhile, Nvidia has said it is “still working to evaluate the nature and scope of the event.” The incident was termed a ransomware attack.
Regarding Samsung, the group had posted screenshots showing it had access to nearly 200GB of data, including source code used by Samsung for encryption and biometric unlocking functions on Galaxy devices.
Samsung’s statement had said that no personal data belonging to employees or customers was stolen, though it said there was a security breach relating to “internal company data”. The statement had acknowledged that the breach did involve source code related to the Galaxy devices.
Microsoft’s blog post has given some clues on how these attacks took place, though the group appears to have deployed a wide variety of methods. The blog post refers to Lapsus$ as DEV-0537, and according to Microsoft, the hackers rely on “large-scale social engineering and extortion campaigns against multiple organizations…”
In social engineering attacks, cybercriminals try to lure individuals into revealing critical personal information via phishing attacks. This information can then be used to compromise other accounts. For instance, they might ask one to take a survey revealing personal details such as their mother’s maiden name or favourite dish or date of birth, etc. All of this information might be used to either guess passwords or even answers to security questions for an account.
According to Microsoft, the group relies on a “pure extortion and destruction model without deploying ransomware payloads.” It started by targeting organisations in the United Kingdom and South America but has expanded globally. Their targets are across a range of sectors: government, technology telecom, media, retail and healthcare. It is also attacking cryptocurrency exchanges to steal cryptocurrency holdings.
Microsoft states that the group is also relying on some tactics that are less frequently used by other threat actors. These include methods such as “SIM-swapping to take over accounts, accessing personal email accounts of employees at target organisations.”
In some cases, it has even paid employees or suppliers at an organisation in order to gain access to privileged networks and systems. Another example talks about the group calling up an organisation’s helpdesk to reset a target’s credentials. The group used other information gathered about the target in order to trick the helpdesk into giving access.
For now, Microsoft has recommended that businesses rely on Multi-Factor Authentication (MFA) to protect themselves from such attacks. It also recommends against weak MFA factors such as text messages, since these are susceptible to SIM swapping. It has also cautioned against simple voice approvals, push notifications, or even “secondary email” based MFA methods.
It also recommends increasing awareness among employees and IT help desks around social engineering attacks.
Newsletter | Click to get the day’s best explainers in your inbox
