Microsoft and Okta Breached Through Social Engineering Ransomware Attack

Posted April 5, 2022

Microsoft and identity management platform Okta have both disclosed recent breaches involving LAPSUS$, a cybercrime group that specializes in stealing data from big companies and demanding a ransom. As reported by the Microsoft security blog, Microsoft began tracking a large-scale social engineering and extortion campaign against multiple organizations including its own services. The campaign had some victims seeing evidence of destructive elements along with ransom demands. The attack initially compromised a single Microsoft user account and eventually stole parts of Microsoft source code for some products.

According to the Microsoft Threat Intelligence Center (MSTIC), “the objective of DEV-0537 actors is to gain elevated access through stolen credentials that enable data theft and destructive attacks against a targeted organization, often resulting in extortion. DEV-0537 is Microsoft’s moniker for LAPSUS$. Microsoft is actively updating detection, hunting, and mitigation techniques in response and Okta is updating an FAQ regarding the compromise.

According to Microsoft, infiltration techniques used by LAPSUS$ include

Deploying the malicious Redline password stealer to obtain passwords and session tokens
Purchasing credentials and session tokens from criminal underground forums
Paying employees at targeted organizations (or suppliers/business partners) for access to credentials and MFA approval
Searching public code repositories for exposed credentials

Emphasis on the ‘Paying employees’ bullet point is ours. We’ve written previously on detecting insider threats to security as a rising social engineering threat. In this attack, Microsoft states they “found instances where the group successfully gained access to target organizations through recruited employees (or employees of their suppliers or business partners),”

“DEV-0537 advertised that they wanted to buy credentials for their targets to entice employees or contractors to take part in its operation. For a fee, the willing accomplice must provide their credentials and approve the MFA prompt or have the user install AnyDesk or other remote management software on a corporate workstation allowing the actor to take control of an authenticated system. Such a tactic was just one of the ways DEV-0537 took advantage of the security access and business relationships their target organizations have with their service providers and supply chains.”

The attackers would recruit employees via social media as well as initially attacking employees’ personal social and email accounts to gain information. The attackers have also been known to call corporate help desks to initiate a password reset on targeted accounts.

“The group used the previously gathered information (for example, profile pictures) and had a native-English-sounding caller speak with the help desk personnel to enhance their social engineering lure. Observed actions have included DEV-0537 answering common recovery prompts such as “first street you lived on” or “mother’s maiden name” to convince help desk personnel of authenticity. Since many organizations outsource their help desk support, this tactic attempts to exploit those supply chain relationships, especially where organizations give their help desk personnel the ability to elevate privileges.”

Implementing a zero-trust environment, with advanced endpoint protection, threat hunting, and user education remains an organization’s best defense in this evolving environment of advanced threats. Contact us to ensure you have the latest protections.

Scott Anderson

Scott Anderson is Partner / CTO of Verus Corp. He works with mid- and large-sized companies to ensure that all of their managed IT service needs are met to their highest standards. Scott knows that giving customers exactly what they need requires flexibility and patience. He works with each department to carry out documentation and the processes of providing managed IT services. Every position that Scott has held has been largely focused on customer service. This expertise and experience means that you’ll be getting a holistic and customer-centered experience from Verus Corp, from installation to troubleshooting. Scott has provided services that have helped Verus Corp be named a Cisco Select Partner and WatchGuard Partner of the Year. Most recently, Verus Corp was named the second best place to work by the Minneapolis/St. Paul Business Journal. Scott has a Bachelor’s in Speech from St. Cloud State University.