Both Microsoft and Okta are investigating claims by the new, precocious data extortion group Lapsus$ that the gang has breached their systems.
Lapsus$ claimed to have gotten itself “superuser/admin” access to internal systems at authentication firm Okta. It also posted 40GB worth of files to its Telegram channel, including screenshots and source code, of what the group said is Microsoft’s internal projects and systems.
The news was first reported by Vice and Reuters.
Okta confirmed on Tuesday that it had been hit and that some customers may have been affected. The scope of the breach isn’t yet clear, but it could be huge: According to Okta, it has hundreds of millions of users that use its platform to provide access to networks, including employees at thousands of large companies such as Fedex, Moody’s, T-Mobile, Hewlett Packard Enterprise and GrubHub, to name a few.
A Microsoft spokesperson told Threatpost that its investigation found that an account had been compromised, “granting limited access.” Its cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity, the spokesperson said.
“We do not rely on the secrecy of code as a security measure and viewing source code isn’t tied to elevation of risk,” Microsoft said. The Microsoft Threat Intelligence team on Tuesday published a blog detailing observed activity of the Lapsus$, which Microsoft tracks as DEV-0537.
‘Very Worrisome’ Screenshots
The purported Okta screenshots included one that appears to show Okta’s Slack channels and another with a Cloudflare interface. In an accompanying message, the group said its focus was “ONLY on Okta customers.”
Bill Demirkapi, an independent security researcher, tweeted that the screenshots “are very worrisome. … LAPSUS$ appears to have gotten access to the @Cloudflare tenant with the ability to reset employee passwords.”
Cloudflare announced on Tuesday that it’s not up for risking its employees’ Okta credentials. The company, which uses Okta for employee authentication, is resetting its employees credentials, Co-founder and CEO Matthew Prince said on Twitter, “out of an abundance of caution.”
https://twitter.com/eastdakota/status/1506158901078618118?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1506158901078618118%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.theregister.com%2F2022%2F03%2F22%2Fokta_lapsus%2F.
Breach Dates to January
Demirkapi noted another scary thing about the screenshots: Namely, they indicate a date of Jan. 21, 2022. If the date is correct, it suggests that Okta “failed to publicly acknowledge any breach for at least two months,” he said.
The screenshots are very worrisome. In the pictures below, LAPSUS$ appears to have gotten access to the @Cloudflare tenant with the ability to reset employee passwords: pic.twitter.com/OZBMenuwgJ
— Bill Demirkapi (@BillDemirkapi) March 22, 2022
Yes, the dates could mean that Lapsus$ has had access to Okta for months, but then again, they could instead indicate that Lapsus$ enjoyed a brief romp before it got kicked out. The latter is the case, Okta CEO Todd McKinnon.
On Tuesday, the CEO tweeted that in January 2022, Okta detected an attempted compromise of “a third-party customer support engineer working for one of our subprocessors” but that “the matter was investigated and contained by the subprocessor.”
Okta believes the screenshots Lapsus$ shared online are connected to the January incident. “Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January,” McKinnon said.
We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January. (2 of 2)
— Todd McKinnon (@toddmckinnon) March 22, 2022
Did Rogue Employees Pitch In?
If the dates are accurate, it means that Lapsus$ may well have been successful when it put up a “help wanted” notice on its Telegram channel on March 10. The group posted that it recruiting company insiders – including those at Microsoft; other big software/gaming companies such as Apple, IBM or EA; telecoms such as Telefonica, ATT; and more – to help it carry out its dirty work.
From its March 10 Telegram post:
“We recruit employees/insider at the following!!!! … TO NOTE: WE ARE NOT LOOKING FOR DATA, WE ARE LOOKING FOR THE EMPLOYEE TO PROVIDE US A VPN OR CITRIX TO THE NETWORK, or some anydesk” – references to technologies that the cybercriminals could use to penetrate targets’ networks with insiders’ help.
Data on Bing, Bing Maps, Cortana Allegedly Stolen
On Monday, Lapsus$ began to circulate a 10GB compressed archive that purportedly contains internal data on Microsoft’s Bing search engine and Bing Maps, along with the source code to the company’s voice assistant software Cortana.
The leaked data is dated March 20, 2022.
“Bing maps is 90% complete dump. Bing and Cortana around 45%,” Lapsus$ wrote on its Telegram channel.
Microsoft acknowledged the claims and said that it’s investigating.
Lapsus$ Sneers at Okta’s Claims
On Tuesday, Okta Chief Security Officer David Bradbury made a number of claims In an updated statement that, within hours, Lapsus$ dismissed. Demirkapi tweeted the group’s slap-back:
The LAPSUS$ ransomware group has issued the following response to Okta's statement. pic.twitter.com/D6KYQjnKPU
— Bill Demirkapi (@BillDemirkapi) March 22, 2022
Among other things, Lapsus$ scorned Bradbury’s description of the group having breached an engineer’s laptop in the January attempt (it was a thin client, the gang said). The gang also laughed at Bradbury’s claim that the January attempt to access an engineer’s account was unsuccessful (“I’m STILL unsure of how its an unsuccessful attempt? Logged in to superuser portal with the ability to reset the Password and MFA of ~95% of clients isn’t successful?”).
Lapsus$ also said that “the potential impact to Okta customers is NOT limited. I’m pretty sure that resetting passwords and MFA would result in complete compromise of many clients systems.”
032822 11:01 UPDATE: In a March 23 update, Bradbury clarified that most support engineering tasks are performed using an internally built app called SuperUser, or SU for short. With the role of SU, support engineers can perform perform basic management functions of Okta customer tenants.. he said.
“This does not provide ‘god-like access’ to all its users,” Bradbury explained. “This is an application built with least privilege in mind to ensure that support engineers are granted only the specific access they require to perform their roles. They are unable to create or delete users. They cannot download customer databases. They cannot access our source code repositories.”
The Many Notches on Lapsus$’ Belt
The Lapsus$ group has pulled off a mounting pile of high-profile attacks. In December, it attacked the Brazil Ministry of Health, taking down several online entities, successfully wiping out information on citizens’ COVID-19 vaccination data as well as disrupting the system that issues digital vaccination certificates.
More recently, Lapsus$ crippled the Portuguese media giant Impresa; attacked Nvidia, making off with code-signing certificates then used to sign malware and thus enabling malicious programs to slide past security safeguards on Windows machines; released a purportedly massive dump of proprietary source code stolen from Samsung; and attacked Assassin’s Creed video game developer Ubisoft.
On Monday, the group also claimed to have breached the electronics giant LGE, according to Security Week.
Lapsus$ Is a ‘Wild Card’
Drew Schmitt, Lapsus$ ransomware expert and principal threat intelligence analyst at cybersecurity firm GuidePoint Security, has interacted directly with the group through his years of ransomware negotiations and threat intelligence work.
He told Threatpost on Tuesday that the group is a “wild card” in that “they do not perform encryption of files or data for extortion purposes, rather they target and exfiltrate sensitive data and use that for the primary extortion effort.”
That sets Lapsus$ from the traditional ransomware approach used by groups such as Conti, Lockbit and others he said. Another deviation from traditional ransomware groups is their use of Telegram for communication and extortion purposes versus the use of a leak site hosted using a TOR service, he noted. As well, their initial access to targeted organizations is unorthodox, he said, referring to the March 11 recruiting message for rogue insiders.
Lapsus$ apparently operates on its own, without ties to other cybercriminal/ransomware syndicates or nation-state sponsorship, Schmitt said. That could change, though, as analysis continues, he said: “As this group has gained a lot of notoriety in the past few weeks, it is possible that we will learn new intelligence that indicates connections to other known groups and syndicates.”
Schmitt said that Lapsus$ is changing the ransomware game with its non-traditional approaches to initial access, its move away from file encryption, and its deviation from the traditional leak site infrastructure. These are changes that could be adopted by more traditional ransomware groups, he predicted.
Not Just the New Kid on the Block
The Lapsus$ group’s move on Okta makes it clear that these guys are more than simply the new kid on the block, according to security experts.
Dave Stapleton, a former government security analyst and current CISO of third-party risk management company CyberGRX, thinks that Lapsus$ is looking to increase its notoriety – all the better to recruit insiders willing to sell remote access to major technology corporations. Yet another far-reaching supply-chain attack could also be in its sites, he told Threatpost on Tuesday.
“While details are scarce at the moment, it is clear that this threat actor is working hard to make a name for themselves,” Stapleton said via email. “Continuing to increase their notoriety and standing will support their recruitment of insiders who are willing to sell remote access to major technology corporations and ISPs. With this latest move against Okta, the Lapsus$ group is essentially advertising to potential recruits how they operate.”
Given that Okta is “a crucial identity provider for organizations around the world,” Stapleton fears another in the string of supply-chain attacks that have struck the likes of Toyota, et al. “I’m sure [Okta’s] customers will be watching closely. The threat of another far-reaching supply chain attack certainly has my attention,” he said.
Kevin Novak, managing director of Breakwater Solutions, suspects that the scope of Okta’s backend breach is likely limited. Otherwise, given Okta’s massive customer base, we’d likely know it by now. “While some have made conjectures about whether this hack contributed to another breach here or there, it would seem that a full compromise of Okta’s backend would have become far more obvious by now, but we’ll see more over the next few months,” he said.
“If … the compromise involved a successful assault on client information, such as client credentialing, key materials, or source code pertaining to environments that may lead to client compromises, then Okta may suffer much greater scrutiny from the field for its lack of adequate, timely notification of the event,” Novak noted.
What to Do Now
The Okta breach is still developing. Still, there are steps organizations can take now to secure their employees and networks. Jon Hencinski, director of global operations at Expel, told Threatpost that precautionary actions to take immediately include rotating privileged Okta passwords and Okta-generated tokens and reviewing Okta admin authentications and activity for the past four months.
He provided these other tips:
- Review configuration changes to ensure they align with expected activities and sources.
- Review admin authentications and ensure they originate from expected sources based on the source user.
- Identify any Okta accounts where MFA was disabled during the same time period and determine the user and root cause of that disablement, then re-enable MFA for those accounts.
- Throughout this process, communicate transparently what you’re doing and have done with your internal and external stakeholders.
- This is also an opportunity to stress-test your incident response plan (IRP). And if you don’t have an IRP — create one, then test it and test it again.
“Fortune favors the prepared,” Hencinski said.
032222 19:14 UPDATE: Added response from Microsoft. Corrected security researcher Bill Demirkapi’s affiliation: His work is done independently.
032822 11:07 UPDATE: Added David Bradbury’s explanation of SuperUser accounts.
Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.
