Microsoft and Okta Reveal a Security Breach by LAPUS$ Extortion Troop

Highlights:

• The hackers had access to the laptop of the customer support engineer working for a third-party provider through the account of a customer support engineer working for a third-party provider.
• Microsoft identified the compromised system and remediated the threat immediately to stop the breach.

Microsoft finally revealed that the LAPUS$ extortion-focused hackers had gained limited access to its systems, as Okta, an authentication service provider, confirmed that about 2.5% of its clients were impacted due to the breach.

Microsoft’s Threat Intelligence Center (MSTIC) said, “No customer code or data was involved in the observed activities.” Furthermore, it added that the breach’s root cause was a single compromised account, which has been remediated to avoid further malicious activities.

The windows creator, which was already keeping an eye on the group under the moniker DEV-0537 before the public announcement, said it “does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.”

Additionally, the company’s security team observed, “This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.”

Okta, an identity and access management company, too, admitted the breach. The hackers had access to the laptop of the customer support engineer working for a third-party provider through the account of a customer support engineer working for a third-party provider. It said that the hackers had access to the engineer’s laptop from January 16 and 21, but that service was not compromised.

The cloud-software firm based in San Fransico also said that it has figured out the affected customers and is in the process of contacting them, stressing that “Okta service is fully operational, and there are no corrective actions our customers need to take.”

Cloudflare, a web infrastructure company, said in a post mortem analysis of the incident, “In the case of the Okta compromise, it would not suffice just to change a user’s password. The attacker must also change the hardware (FIDO) token configured for the same user. As a result, it would be easy to spot compromised accounts based on the associated hardware keys.”

When Okta failed to announce the breach officially for two months, the cybercriminals were forced to ask, “why to wait this long” in a counter statement.

LAPUS$ also confirmed in its rebuttal that Okta was storing Amazon Web Services (AWS) keys within Slack and that the support engineers had excessive access to the communication platform. The hackers added, “The potential impact to Okta customers is NOT limited; I’m pretty certain resetting passwords and MFA would result in the complete compromise of many clients’ systems.”

Microsoft Exposed LAPUS$ strategy 

LAPUS$ emerged in July 2021 and is now on a hacking spree, targeting numerous companies like Impresa, Brazil’s Ministry of Health, Claro, Embratel, NVIDIA, Samsung, Mercado Libre, Vodafone, and most recently Ubisoft.

The attackers are financially motivated and follow similar tactics, including breaking into a target’s network, stealing sensitive data, and blackmailing the target to ask for ransom by making the glimpse of stolen sensitive data public on their Telegram channel.

Microsoft described LAPUS$ as a troop following a “pure extortion and destruction model without deploying ransomware payloads” and one that “doesn’t seem to cover its tracks.”

Another strategy adopted by the team includes mobile-based social engineering schemes like SIM-swapping to foster account takeover, accessing personal email of employees at the target organizations, bribing employees, suppliers, or business partners of organizations for access and intruding in the ongoing crisis response calls of their target organization to start extortion demands.

LAPUS$ has also been seen deploying the Redline Stealer that’s on sale on underground forums to collect passwords and session tokens. Additionally, it has also been observed purchasing credentials and access tokens from dark web marketplaces and finding public code repositories for exposed credentials to get an initial foothold.

The company said, “The objective of DEV-0537 actors is to gain elevated access through stolen credentials that enable data theft and destructive attacks against a targeted organization, often resulting in extortion. Tactics and objectives indicate this is a cybercriminal actor motivated by theft and destruction.”

After initial access, the group is known to exploit unpatched vulnerabilities on internally accessible confluence, Jira, and GitLab servers for privilege escalation before exfiltrating relevant data and deleting the target’s systems and resources.

To eliminate such instances, Microsoft is prompting organizations to implement multifactor authentication (not message-based), make use of modern authentication solutions like OAuth or SAML, review individual sign-ins for signs of anomalous activity, and track the incident response communications for unauthorized attendees.

LAPUS, after the spree attacks on organizations, is now on a break. On its Telegram channel, the attack troop said, “A few of our members have [sic] a vacation until 30/3/2022. We might be quiet for some times [sic].”