Microsoft and Okta Respond to Lapsus$ Cyberattacks

The world has been filled with negative news in recent weeks, but this week we saw a ray of light from the games industry. Microsoft and Okta have announced that they have successfully shut down Lapsus$ attacks on their servers by catching them off guard and running an additional layer of security to trick the hackers into believing they were operating legitimately. This is a smart move, as it shows that even though there are major companies being targeted by hacks every day, these companies can still keep up strong defenses when properly prepared.

Microsoft and Okta Respond to Lapsus$ Cyberattacks is a blog post about the Microsoft-Okta cyberattack. This article discusses how the attack took place, what happened, and what steps have been taken to prevent future attacks.

Microsoft-and-Okta-Respond-to-Lapsus-CyberattacksImage courtesy of TheDigitalArtist (Pixabay)

Microsoft and Okta are two of the most recent victims of the now-famous Lapsus$ hacking organization. They’ve responded to the events and the methods used to steal the data in a blog post. Microsoft refers to the group as DEV-0537 on its blog.

DEV-0537, unlike other activity groups, does not seem to be able to hide its footprints. They even go as far as declaring their assaults on social media or revealing their intention to purchase credentials from target workers. DEV-0537 also employs a number of methods that are less often used by other Microsoft-tracked threat actors. Phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of target employees; paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval; and intruding into ongoing crisis-communication calls of their targets are some of their tactics.

Microsoft admitted that Lapsus$ acquired access by hacking into one of its employees’ accounts. The organization has provided 37 GB of data comprising Bing and Cortana source code. For Okta, Lapsus$ claimed to have acquired access to the authentication and identity management platform’s internal webpages by posting screenshots. The accusations were addressed by David Bradbury (Okta Chief Security Officer).

Okta discovered a failed attempt to breach the account of a customer support engineer for a third-party supplier in January 2022. We notified the provider of the problem as part of our standard protocols, while also canceling the user’s current Okta sessions and suspending their account. Following those measures, we shared relevant information (including suspect IP addresses) with them to help them with their investigation, which was aided by a third-party forensics business.

We got a report from the forensics company this week after the service provider’s inquiry was completed. An attacker obtained access to a support engineer’s laptop for a five-day period between January 16 and 21, 2022, according to the study. This corresponds to the screenshots we discovered the day before yesterday.

Following a comprehensive examination of these allegations, we have determined that a limited number of customers – roughly 2.5 percent – may have been affected and whose data may have been seen or acted upon. We’ve tracked down those customers and are reaching out to them individually. If you’re an Okta client who was affected, we’ve already contacted you by email. In keeping with our principles of customer success, honesty, and openness, we’re providing this interim update.

At 8 a.m. PDT and 4 p.m. PDT, Bradbury will hold a webinar. Customers of Okta may register for the event here.

More information on the strategies employed has been released by Microsoft, including social engineering, password-stealing software, and bribing workers of targeted firms. The organisation is now asking for people who want to help them get access to businesses.

1648061486_809_Microsoft-and-Okta-Respond-to-Lapsus-Cyberattacks

To assist others, Microsoft has released the following tips.

Do

• Require Multifactor Authenticator for all users, even those from perceived trustworthy settings, and all internet-facing infrastructure–including those from on-premises systems.

• Use more secure solutions like FIDO Tokens or the Microsoft Authenticator with number matching. To reduce the dangers of SIM-jacking, avoid using telephony-based MFA approaches.

• Use Azure AD Password Protection to prevent users from using passwords that are readily guessed. Additional tips may be found in our blog post concerning password spray assaults.

• To eliminate the dangers and concerns associated with passwords, consider passwordless authentication techniques such as Windows Hello for Business, Microsoft Authenticator, or FIDO tokens.

Do NOT:

• Use weak MFA factors like text messages (which are vulnerable to SIM switching), basic voice approvals, simple push (rather than number matching) or supplementary email addresses.

• Include exclusions depending on location. MFA exclusions enable an actor who only has one component for a group of identities to circumvent MFA restrictions if they can totally compromise a single identity.

• Allow users to share credentials or MFA factors.

Endpoints must be healthy and reliable.

• To avoid data theft, only allow trustworthy, compliant, and healthy devices access to resources.

• Enable Microsoft Defender Antivirus’ cloud-delivered protection to fight against quickly developing attacker tools and strategies, stop new and undiscovered malware variants, and improve attack surface reduction rules and tamper protection.

Bleeping Computer is the source of this information (1, 2)

Return to the thread

Recent Developments

1630885345_310_Jason-Momoa-Shares-First-Look-at-New-Suit-for-Aquaman

Variable Refresh Rate Support for PlayStation 5 is Coming “In the Months Ahead”

23rd of March, 2022 23rd of March, 2022

1631377330_323_Mad-Max-Fury-Road-Vehicles-Are-Up-for-Auction

New ATX 3.0 and ATX12VO 2.0 PSU Specifications from Intel

23rd of March, 2022 23rd of March, 2022

1634418514_965_Warner-Bros-Releases-Full-Length-Trailer-for-The-Batman

Suicide Squad: Kill the Justice League has been officially postponed until 2023, according to Rocksteady.

23rd of March, 2022 23rd of March, 2022

1642901390_740_NVIDIA-GeForce-RTX-3090-Ti-Production-Halt-Could-Be-Due

A PlayStation 5 Pro with twice the performance is expected to be released in 2023/2024.

22nd of March, 2022 22nd of March, 2022

1619806397_318_Crysis-Remastered-Update-Adds-Experimental-Ray-Tracing-Boost-Mode

Ghostwire: Tokyo, Tiny Tina’s Wonderlands is now supported by the NVIDIA GeForce Game Ready 512.15 driver.

22nd of March, 2022 22nd of March, 2022

NVIDIA-GeForce-Game-Ready-51215-Driver-Adds-Support-for-Ghostwire

Casey Hudson (Director of the Mass Effect Trilogy) is working on a “All-New Science-Fiction Universe.”

22nd of March, 2022 22nd of March, 2022

Microsoft and Okta have responded to the “log4j breaches” that happened last week. The hackers were able to access personal information of Microsoft’s customers, but they did not get any credit card numbers.

  • microsoft warns
  • lapsus$ group iocs
  • lapsus iocs
  • log4j news
  • log4j attack
Total
0
Shares
Share 0
Tweet 0
Pin it 0