The story so far: On March 22, authentication platform Okta confirmed that hackers had tried intruding into its system three months earlier. The platform confirmed an attacker had access to one of its employees’ laptops in January, and that a portion of its clients may have been affected because of the breach. The firm’s disclosure came after hacking group Lapsus$ shared screengrabs of Okta’s internal systems on messaging platform Telegram. The images included Okta’s Slack channels and its cloudflare interface. In a recent filing, Okta shared that it has over 15,000 clients globally, which includes bike brand Peloton, speaker maker Sonos, and the Federal Communications Commission (FCC). Just a day prior to sharing the screenshots, on March 21, Lapsus$ shared on social media that they had stolen source codes from a number of large tech firms. They claimed responsibility for breach and dissemination of confidential data.
On January 20, 2022, the Okta’s security team was alerted that a new factor was added to a Sitel customer support engineer’s Okta account from a new location. Sitel is Okta’s third-party partner providing customer support engineers to the authentication company. This added factor was a password. The team investigated the alert, and escalated it to a security incident. The company’s service desk was added to the incident to assist in containing the user’s account.
They terminated the user’s Okta sessions and suspended the account until the root cause of suspicious activity could be identified and remediated. Okta claimed that the individual attempt was unsuccessful and they had reset the account and notified Sitel.
Its investigation revealed that the screenshots published by the hackers were obtained through remote access to a Sitel-managed computer using Remote Desktop Protocol (RDP). So, while the attacker never gained access to the Okta’s service via account takeover, the computer that was logged into Okta was compromised and controlled through the RDP session. RDP is a protocol or technical standard that provides a user with a graphical interface to connect to a desktop computer remotely. The user uses RDP client software for this purpose, while the other computer must run RDP server software.
The cyber-crime group Lapsus$ is said to be based in South America. The group is relatively new but has successfully breached major firms like Microsoft. It has also publicly taunted their victims, leaking their source code and internal documents. They have even gone to the extent of joining Zoom calls of companies they breached, taunting employees and consultants who are trying to clean up their hack, according to a Bloomberg report. The group has an active presence on the messaging app Telegram, and its channel has over 47,000 subscribers.
Unlike most hacker groups that stay under the radar, Lapsus$ doesn’t cover its tracks. They go as far as announcing their attacks on social media or advertising their intent to buy credentials from employees of target organisations. Their tactics include phone-based social engineering, SIM-swapping to facilitate account takeover, accessing personal email accounts of employees at target organisations, and paying employees, suppliers, or business partners of their targets to get their credentials and multifactor authentication (MFA) approval.
They even joined crisis-communication calls of their targets and internal discussion boards like Slack, Teams, conference calls to understand the incident response workflow and their corresponding response, according to Microsoft.
Social engineering efforts include gathering data about a target’s business operations, employees, team structures, help desks, crisis response workflows, and supply chain relationships. They spam a target with MFA prompts and call the organisation’s help desk to reset a target’s credentials. The group can also perform SIM-swapping attacks to access a user’s phone number and handle phone-based authentication prompts to sign into the corporate network. They even entice employees of target organisations to buy their credentials. For a fee, the employee must provide their credentials and approve the MFA prompt or have the user install AnyDesk or other remote management software on a corporate workstation allowing the actor to take control of an authenticated system, Microsoft said. On obtaining an employee’s credentials they connect to that person’s organisation’s VPN (virtual private network). They then try to discover additional credentials or exploit unpatched vulnerabilities to intrude into internal servers. They also search code repositories and collaboration platforms for exposed credentials and secrets. They can even access the target’s cloud assets to create new virtual machines within the target’s cloud environment, and use it for further attacks across the organisation.
The group is said to be led by two teenagers, a 16-year-old and a 17-year-old. The younger of the two is from Oxford and has been accused of being the leader of Lapsus$. He is also said to be diagnosed with autism. He has been operating under his online alias name "White" or "Breachbase", and is estimated to have made $14 million from hacking, according to a report by BBC. The teenager was caught after he was doxxed on a hacker website, after falling out with his business partners. The hackers revealed his name, address, and social media pictures. Doxxing refers to searching and publishing private information about an individual on the internet, with malicious intent to reveal the person's actual identity. The cyber researchers and law enforcement authorities have been tracking "White" for almost a year. They used forensic evidence from the hacks as well as publicly available information to link the teen to the hacking group. Both teenagers were taken into police custody after being charged for hacking computer networks.
The group began targeting organisations in the United Kingdom and South America, and then expanded to global targets. They intrude into computer networks of governments, technology firms, retail outlets, and healthcare organisations.
Besides security firm Okta, the group's other big target was software giant Microsoft. "Our investigation has found a single account had been compromised, granting limited access," Microsoft said in a blog post confirming the breach. Nvidia, Samsung, LG and Globant are some other large firms targeted by the cybercrime gang. The group is also known to take over individual accounts at cryptocurrency exchanges to drain its holdings, Microsoft noted in its blog.