Both Microsoft and Okta have admitted that their systems were indeed infiltrated by the Lapsus$ hacking group, but both companies also said that the cyberattack’s impact was limited. In a post on the Microsoft Security blog, the tech giant has revealed that the group gained limited access to its systems using a single compromised account.
When the hacking group released a torrent with stolen data, it said the package included 90 percent of Bing’s source code and 45 percent of Cortana and Bing Maps code. Microsoft didn’t say whether those products’ codes were indeed stolen, but it explained that it “does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.” Apparently, the company was already investigating the compromised account even before Lapsus$’s announcement. The group’s move prompted Microsoft to move more quickly, allowing it interrupt the bad actor in the middle of its operation, thereby limiting its impact.
Meanwhile, Okta updated its old post made in response to the hacking claim and revealed that approximately 2.5 percent of its customers may have had their data viewed or acted upon. While the company has tens of thousands of customers, it actually supports “hundreds of millions of users,” according to its website. Okta confirmed it has already contacted the affected customers directly via email.
Okta previously said that it discovered a five-day window in January where an attacker had access to a support engineer’s laptop. However, it said the potential impact to Okta customers is limited, because support engineers only have access to limited data. Lapsus$ claimed that the statement was a lie, because it was able to log into a “superuser portal with the ability to reset the password and MFA” of around 95 percent of the company’s clients.
In addition to announcing the results of its investigation, Microsoft has also detailed how Lapsus$ operates in its post. The group apparently uses various tactics to gain entry into its targets’ systems, such as relying on social engineering and using password stealers. It also purchases logins from underground forums and even pays employees working in target organizations to use their credentials, approve MFA prompts and to install remote management software on a corporate workstation if needed. At times, it also performs SIM-swapping attacks to get access to a user’s phone number in order to receive their two-factor codes.
If it only gains access to account credentials for someone with limited privileges at first, it explores the company’s collaboration channels like Teams and Slack or exploits vulnerabilities to gain logins for users higher up in the organization. Microsoft said the group started by targeting cryptocurrency accounts, stealing wallets and funds. Eventually, it also targeted telecom companies, higher educational institutions and government organizations in South America and then worldwide.
