Microsoft and Okta Breached Through Social Engineering Ransomware Attack
Microsoft and identity management platform Okta have both disclosed recent breaches involving LAPSUS$, a cybercrime group that specializes in stealing data from big companies and demanding a ransom. As reported by the Microsoft security blog, Microsoft began tracking a large-scale social engineering and extortion campaign against multiple organizations including its own services. The campaign had some victims seeing evidence of destructive elements along with ransom demands. The attack initially compromised a single Microsoft user account and eventually stole parts of Microsoft source code for some products.
According to the Microsoft Threat Intelligence Center (MSTIC), “the objective of DEV-0537 actors is to gain elevated access through stolen credentials that enable data theft and destructive attacks against a targeted organization, often resulting in extortion. DEV-0537 is Microsoft’s moniker for LAPSUS$. Microsoft is actively updating detection, hunting, and mitigation techniques in response and Okta is updating an FAQ regarding the compromise.
According to Microsoft, infiltration techniques used by LAPSUS$ include
- Deploying the malicious Redline password stealer to obtain passwords and session tokens
- Purchasing credentials and session tokens from criminal underground forums
- Paying employees at targeted organizations (or suppliers/business partners) for access to credentials and MFA approval
- Searching public code repositories for exposed credentials
Emphasis on the ‘Paying employees’ bullet point is ours. We’ve written previously on detecting insider threats to security as a rising social engineering threat. In this attack, Microsoft states they “found instances where the group successfully gained access to target organizations through recruited employees (or employees of their suppliers or business partners),”
“DEV-0537 advertised that they wanted to buy credentials for their targets to entice employees or contractors to take part in its operation. For a fee, the willing accomplice must provide their credentials and approve the MFA prompt or have the user install AnyDesk or other remote management software on a corporate workstation allowing the actor to take control of an authenticated system. Such a tactic was just one of the ways DEV-0537 took advantage of the security access and business relationships their target organizations have with their service providers and supply chains.”
The attackers would recruit employees via social media as well as initially attacking employees’ personal social and email accounts to gain information. The attackers have also been known to call corporate help desks to initiate a password reset on targeted accounts.
“The group used the previously gathered information (for example, profile pictures) and had a native-English-sounding caller speak with the help desk personnel to enhance their social engineering lure. Observed actions have included DEV-0537 answering common recovery prompts such as “first street you lived on” or “mother’s maiden name” to convince help desk personnel of authenticity. Since many organizations outsource their help desk support, this tactic attempts to exploit those supply chain relationships, especially where organizations give their help desk personnel the ability to elevate privileges.”
Implementing a zero-trust environment, with advanced endpoint protection, threat hunting, and user education remains an organization’s best defense in this evolving environment of advanced threats. Contact us to ensure you have the latest protections.