The Chaos (and Cost) of the Lapsus$ Hacking Carnage
NEWS ANALYSIS: Security experts say the Lapsus$ gang’s “extortion and destruction” hacking spree is the work of an amateur gang allegedly led by a British teenager. What does this say about the state of cybersecurity?
The timing for Lapsus$ attacks couldn’t possibly be worse.
As enterprise network defenders absorbed warnings about cyberwar and confirmed reports of nation-state wiper and ransomware attacks, the Lapsus$ hacking gang stormed into public view with taunts and evidence of data-theft hacks against prominent brands NVIDIA, Samsung and Ubisoft.
Later, Microsoft and Okta would be dragged into the victim pool with Redmond publicly documenting “a large-scale social engineering and extortion campaign” and Okta badly botching its communications with customers on the extent of its breach.
The chaos — and ongoing controversies — caused by Lapsus$ (Microsoft calls them DEV-0537) is confirmation that attack surfaces and third-party vendor dependencies expose attack surfaces that are near impossible to defend. Worse, it confirms that even the most well-resourced organizations with the best security talent can fall victim to skilled, motivated attackers.
Microsoft’s blog post on Lapsus$ tells the story of a loosely organized group leaving a trail of destruction after successful hacking attacks against multiple organizations around the world.
“[The group is] known for using a pure extortion and destruction model without deploying ransomware payloads,” Microsoft warned in a note acknowledging its own systems were compromised in the high-profile raids.
Here’s Microsoft’s confirmation:
This week, the actor made public claims that they had gained access to Microsoft and exfiltrated portions of source code. No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access.
Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.”
Microsoft warned that the group has expanded its target list to organizations around the world, including entities in government, technology, telecom, media, retail, and healthcare sectors and was using brazen tactics to spy on incident responders during live incidents.
“DEV-0537 is also known to take over individual user accounts at cryptocurrency exchanges to drain cryptocurrency holdings,” Microsoft said, describing tactics that include phone-based social engineering, SIM-swapping, hacking employee personal accounts, and even paying insiders for access to a corporate network.
“DEV-0537 doesn’t seem to cover its tracks. They go as far as announcing their attacks on social media or advertising their intent to buy credentials from employees of target organizations,” Redmond noted.
For Okta, a publicly traded company with a market cap of $23 billion, the publication of screenshots and taunts from Lapsus$ led to a public relations debacle that included multiple attempts at accurately describing the blast radius, and bitter criticism from prominent cybersecurity leaders.
After multiple cryptic statements that appeared to downplay the severity of the compromise, Okta eventually confirmed that 366 of its customers (roughly 2.5 percent) “may have potentially been impacted and whose data may have been viewed or acted upon.”
The company’s security chief David Bradbury published a timeline that confirmed Okta got wind of the incident in mid-January but did not publicly communicate anything until Lapsus$ released screenshots three months later.
Okta, a company that provides identity and access management technology to approximately 15,000, had earlier claimed that an attacker had limited access to a laptop during a five-day window and that customers were not affected, but the confusion and lack of transparency did not sit well with customers.
Amit Yoran, chairman and CEO of Tenable, did not mince words.“Two months is too long. This compromise should have been disclosed when Okta detected it in January or after a competent and timely forensic analysis,” Yoran said in an open letter to Okta published on LinkedIn.
“No indicators of compromise have been published, no best practices and no guidance has been released on how to mitigate any potential increase in risk. As a customer, all we can say is that Okta has not contacted us. And, to the best of our knowledge, we are not affected by the breach. Out of an abundance of caution, we are taking what we believe to be logical actions to minimize exposure,” Yoran declared.
Multiple CISOs polled by SecurityWeek confirmed the Lapsus$ incidents had added “significant cost” to even the most mature security programs.
“Every time there is a Twitter screenshot, we have to start an incident response process to see if we’re caught up in it. Obviously, when Okta’s name is mentioned, your ears perk up,” said one prominent security leader at a Dallas, Texas-based financial services firm.
“It’s all interconnected. If Microsoft is compromised, we have to scramble. If Okta is compromised, we have to scramble,” he added matter-of-factly.
“You’re assuming the worst-case scenario and looking to determine and limit blast radius. We really rely on vendors to be transparent and honest. If I can’t depend on you to be transparent and timely, I’ll probably be looking at alternatives.”
The Lapsus$ hacks also underscore the soft underbelly of data-sharing and data access between vendors and third-party providers and the way multiple hacking techniques can be combined to cause severe damages.
“Keep in mind, there are no fancy zero-days involved. They’re [Lapsus$] is showing that you don’t have to use zero-days or clever exploits. They’re exploiting an entire system where data is flowing everywhere and we really don’t have the controls to manage it.”
Microsoft recommends that organizations adopt inside risk-management playbooks to mitigate damage from social engineering and identity-centric tactics used by the Lapsus$ gang.
These include the mandatory use of MFA (multi-factor authentication) technology for all users from all locations, including even perceptive trusted environments. The MFA rollout should also include all inter-facing infrastructure, even those coming from on-prem locations.
Redmond is also urging businesses to use modern authentication options (OAuth or SAML connected to Azure AD) to enable risk-based sign-in detection, and to strengthen and monitor cloud security deployments for signs of malicious activity.