Okta and Microsoft confirm Lapsus$ hacks

23 Mar 2022

Image: © Tobias Arhelger/Stock.adobe.com

Nearly 400 Okta customers may have been affected by a Lapsus$ hack, while Microsoft confirmed hackers had ‘limited access’ to source code.

Okta and Microsoft have both confirmed claims of data breaches made by cybercrime group Lapsus$ earlier this week.

Identity and access management company Okta said in an updated statement yesterday (22 March) that screenshots posted by Lapsus$ of the group appearing to gain access to the company’s customer accounts are related to a January hack of an engineer’s laptop.

While Okta confirmed that its service is “fully operational” and that “there are no corrective actions our customers need to take”, approximately 2.5pc of its customers have potentially been impacted by a data breach.

Okta has more than 15,000 customers, including some big clients such as such as DCC, Engie, ITV, Renault, Siemens, Plan International, Slack and Pret a Manger. This means that around 375 customers may have been affected by the hack.

“We have identified those customers and are contacting them directly. If you are an Okta customer and were impacted, we have already reached out directly by email,” wrote Okta’s chief security officer, David Bradbury, in an update.

The company said it detected an “unsuccessful attempt” in January to compromise the account of a customer support engineer working for a third-party provider. Okta said it immediately terminated the user’s session and suspended their account, which was followed by a forensics report earlier this week.

The report confirmed there was a five-day window between 16 and 21 January when an attacker had access to the support engineer’s laptop. Okta said that this limited the hacker’s reach to only what support engineers can access.

However, according to a BleepingComputer report, Lapsus$ has disputed Okta’s claim that the hack was “unsuccessful”, claiming that the group “logged in to superuser portal with the ability to reset the password and [multi-factor authentication] of [approximately] 95pc of clients”.

Okta has released more details and a timeline of events related to the hack based on its investigation so far. In it, Bradbury revealed that he is “greatly disappointed” by Okta’s delay in getting an investigative report after the incident.

The screenshots from Lapsus$ show the email address of an employee of cybersecurity company Cloudflare, which is an Okta client, whose password is about to be reset by hackers.

Cloudflare confirmed that this company email was suspended swiftly after the incident was reported. Cloudflare co-founder and CEO Matthew Prince said on Twitter that no compromise has been confirmed yet, but the company is resetting the Okta credentials of any employees who have changed their passwords in recent months.

Microsoft confirms hack

Meanwhile, Microsoft has also confirmed that one of its employees was compromised by a Lapsus$ hack that gave the attacker access to some of the software giant’s source codes.

The ransomware group said earlier this week that it stole the source code of multiple Microsoft projects. It shared photos of what appeared to be a hacked Microsoft server on its Telegram channel over the weekend, before releasing a torrent file earlier this week.

Lapsus$ claimed these files contained the source code for 250 projects stolen from Microsoft’s internal Azure DevOps server, including the code for Bing and Cortana.

In an update yesterday, Microsoft said that while no customer code or data was affected by the hack, “a single account had been compromised, granting limited access”.

“Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity,” explained Microsoft in an advisory about the Lapsus$ threat actors.

Microsoft did not share details of how the account was compromised but gave a brief summary of how Lapsus$ functions as a hacking group based on observations from multiple attacks.

“Unlike most activity groups that stay under the radar, [Lapsus$] doesn’t seem to cover its tracks,” Microsoft noted. “They go as far as announcing their attacks on social media or advertising their intent to buy credentials from employees of target organisations.”

Lapsus$ also took responsibility for the Nvidia cyberattack last month. The group claimed to have files on Nvidia GPU drivers, which could allow hackers to turn every Nvidia GPU into a bitcoin mining machine.

A week after the Nvidia attack, the group claimed that it leaked almost 190GB of data from Samsung. Last week, it sent a smirking face emoji to a news link related to the recent Ubisoft hack, which could be the group taking responsibility for that cyberattack.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Vish Gain is a journalist with Silicon Republic