Lapsus$ strikes again: Microsoft source code stolen – Hundreds of companies potentially affected by Okta hack
The hacker group Lapsus$ has made headlines once again. After attacking the game developer Ubisoft last week, the gang has now conducted another major breach, this week facing IT giant Microsoft. Having been attacked by Lapsus$ in late January 2022, Okta has disclosed a full report on Wednesday. Along with that, the teenager, who is suspected to be the Lapsus$ mastermind, has been outed to be based in Oxford, UK.
Microsoft has confirmed that one of their employee’s accounts has been compromised by Lapsus$, allowing the threat actors to access the company’s servers and steal source code. According to the gang, 37GB worth of content have been stolen from Microsoft’s Azure DevOps server, giving the hackers insights into internal Microsoft projects, including Bing, Cortana and Bing Maps. A company-wide investigation of the incident has been started.
According to a press release, “no customer code or data was involved in the observed activities.” Microsoft proceeds to state that the “investigation has found a single account had been compromised, granting limited access.” Furthermore, their “cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity.” Parts of its source code being leaked does not seem to faze the IT giant: “Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk. Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.“
Although Microsoft has not officially stated how control over the employee’s account had been gained, they provided an overview of Lapsus$’s tactics, techniques, and procedures, which have been observed across multiple attacks. According to the report, “the actors behind DEV-0537 focused their social engineering efforts to gather knowledge about their target’s business operations. Such information includes intimate knowledge about employees, team structures, help desks, crisis response workflows, and supply chain relationships. (…) The objective of DEV-0537 is to gain elevated access through stolen credentials that enable data theft and destructive attacks against a targeted organization, often resulting in extortion. Tactics and objectives indicate this is a cybercriminal actor motivated by theft and destruction.”
On March 23, 2022, Okta, an IT service company known for applying authentication and authorization services to company applications, disclosed the state of the ongoing investigation of the Lapsus$ attack around January 20, 2022. This report seems like an immediate reaction to several screenshots taken from a computer used by one of Okta’s third-party customer support engineers, which were published online on March 22, 2022. According to the publishers, Lapsus$ managed to access internal data for multiple days, some sources even suggest, they might have managed to access the data of Okta’s customers over the past few months. The company replied to this rumor right away, as despite everything that has happened recently, Okta’s Chief Security Officer David Bradbury states: “I am confident in our conclusions that the Okta service has not been breached and there are no corrective actions that need to be taken by our customers.”
According to the City of London Police, seven people between the ages of 16 and 21 have been arrested in connection with an investigation into a hacking group, for the time being all have been released under investigation. As the presumed mastermind behind Lapsus$, who goes by the online alias “White”, has been outed by former “business partners” to be a minor from Oxford, UK, he is expected to be amongst those under investigation.
For effective protection against a Lapsus$ attack, Microsoft recommends corporations to strengthen their MFA implementation, leverage modern authentication options for VPNs, strengthen and monitor their cloud security posture, improve awareness of social engineering attacks, and establish operational security processes in response to DEV-0537 intrusions. It is strongly advised that security and network admins become familiar with the tactics used by this group by reading Microsoft’s full report and Oktas investigation of the compromise (okta.com)
Microsoft confirms they were hacked by Lapsus$ extortion group (bleepingcomputer.com)
Lapsus$ hackers leak 37GB of Microsoft’s alleged source code (bleepingcomputer.com)
Microsoft bestätigt Hack durch Lapsus (golem.de)
Hacker Gruppe Lapsus leakt 37 GB Microsoft Interna (heise.de)
Lapsus$ Cyberattacks Traced to Teenager in England – Bloomberg
Lapsus$: Oxford teen accused of being multi-millionaire cyber-criminal – BBC News
A Closer Look at the LAPSUS$ Data Extortion Group – Krebs on Security
What the 2022 Weak Password Report tells us about IT security awareness
What specifically makes a password vulnerable? The 2022 Weak Password Report by Specops Software has yielded some interesting results, looking at both the human and the tech side of why passwords are the weakest link in an organization’s network.
Considering passwords have been an essential part of IT since the beginning, password security practices should be refined to perfection and following the commonly known steps on “How to create the ideal password” would be a guaranteed way of keeping passwords safe. The results of Specops Software’s first annual Weak Password Report may cause you to rethink the way in which your organization manages passwords.
The research in the report has been compiled through proprietary surveys and data analysis of 800 million breached passwords, a subset of the more than 2 billion breached passwords within Specops Breached Password Protection list.
According to their data, 93% of the passwords used in brute force attacks include 8 or more characters and 41% of passwords used in real attacks are 12 characters or longer, showing that password length does not guarantee password safety.
People are strongly influenced by emotions, culture and their surroundings while creating passwords, making buzzwords a risk. For instance, 42% of seasonal passwords contained the word “summer”, 150,000 password breaches included the baseball team “Cincinnati Reds” and movie titles, characters, musicians, as well as song names showed up plenty of times.
The long-standing “best practice” of password complexity has generally been supported by the report. There were more than 13 times as many leaked passwords containing only upper-, lower-case letters and numbers, than a combination of upper- and lower-case letters, numbers, and symbols. Initially, this suggests that complexity does indeed help with password security. However, those who use more complex passwords are also expected to rather avoid risky behavior which so often leads to credential theft.
Password reuse, according to the 2022 report, is also a major problem. Surveying more than 2000 users, Specops found out that 48% of the survey respondents have 11 or more passwords for work. In addition, the majority of 71% stated that they have 11 or more passwords for personal use. Roughly 20% of those respondents admitted to using the same or similar passwords for multiple applications and systems.
Although there are active leaked password databases containing millions of passwords, showing the need for protection and optimization, the 2022 Weak Password Report states that 54% of organizations do not have a tool for managing work passwords. To make things worse, 48% of organizations do not have a user identity verification mechanism in place for their service desk, which exposes the service desk to social engineering risks.
The team behind the report truthfully states: “The data in this report should bring awareness to this all-too common problem. The next step is to take action, which means blocking weak and compromised passwords, enforcing password length requirements, enforcing user verification at the service desk, and auditing the enterprise environment to highlight password-related vulnerabilities.”
HP printers show vulnerability to remote code execution
Hewlett-Packard has published security advisories for three critical-severity vulnerabilities to remote code execution and buffer overflow affecting hundreds of printer models. The bulletin listed the severity of the bug as critical and released updates that should solve the issue.
The buffer overflow flaw could affect LaserJet Pro, Pagewide Pro, OfficeJet, Enterprise, Large Format and DeskJet printer models. As was reported by Trend Micro’s Zero Day Initiative team, the vulnerability could be exploited for information disclosure, remote code execution, and denial of service on the affected machine. HP lists the bug’s severity as critical. While not many details have been published about these vulnerabilities, the repercussions of remote code execution and information disclosure are generally far-reaching and potentially dire.
Luckily, the tech giant based in Palo Alto, California, USA, has reacted quickly, already releasing firmware updates for the affected products. Considering severity levels, it is recommended to follow and apply the security updates as soon as possible. Admins may visit HP’s official software and driver download portal, navigate to select their device model, and install the latest available firmware version.
Although as of Thursday, March 24, 2022, there is no mitigation advice to remediate the problem for one of the listed LaserJet Pro models, it has been marked as pending. Therefore, the missing updates are expected to become available soon. For models without a patch, HP provides mitigation instructions that involve disabling Link-Local Multicast Name Resolution in network settings for the time being.
Hundreds of HP printer models vulnerable to remote code execution (bleepingcomputer.com)
Hundreds of HP printers affected by critical security issues (gHacksTechNews)
Kritische Sicherheitslücken in mehr als 200 HP-Drucker-Modellen (heise.de)
Is cybersecurity a topic of interest for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.
Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.
And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.