Lapsus$ Hacking Group Reportedly Hits Microsoft, Okta

The Lapsus$ hacking group has struck again, this time reportedly targeting Microsoft and Okta with data leaks.

The Lapsus$ hacking group claims to have leaked the source code for Bing, Cortana and other projects stolen from Microsoft’s internal Azure DevOps server, Bleeping Computer reported. The group posted a screenshot to their Telegram channel indicating the hack.

“Our investigation found an account had been compromised, granting limited access,” a Microsoft spokesperson said, “Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity.”

Microsoft said it doesn’t rely on the secrecy of code as a security measure. In addition, viewing source code isn’t tied to elevation of risk.

Okta, which provides authentication services to thousands of customers such as Major League Baseball (MLB) and MGM Resorts, is investigating a Lapsus$ data breach.

According to Reuters, hackers posted screenshots of what they said was internal information on their Telegram channel.

Okta issued the following statement in response to the Lapsus$ hacking group’s claims:

“In late January 2022, Okta detected an attempt to compromise the account of a third-party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.”

Lapsus$ Behind Other Big-Name Data Leaks

Lapsus$ is allegedly responsible for obtaining confidential data including the source code that operates Samsung Galaxy smartphones. It also claimed responsibility for the recent Nvidia breach.

Rajiv Pimplaskar is CEO of Dispersive, a network security provider.

Dispersive’s Rajiv Pimplaskar

“Attackers attack Microsoft and Okta because they know the value of identity,” he said. “Identity, not apps, not servers, not devices, is the important component in the cybersecurity world.”

Organizations must check identities, especially the privilege ones, in real time, not just monthly, Pimplaskar said.

Saryu Nayyar is Gurucul‘s CEO and founder.

Gurucul’s Saryu Nayyar

“While customers are relying on vendors like Okta for zero trust and starting to implement secure access service edge (SASE), this shows the need for more advanced security operations tools to ensure that threat actors aren’t abusing identity and access policies,” she said.

CISOs must invest more in automation-focused threat detection, investigation and response (TDIR) solutions, Nayyar said.

Kevin Novak is managing director at Breakwater Solutions. He said if the compromise involved a successful assault on client information, such as client credentialing, key materials or source code pertaining to environments that may lead to client compromises, then Okta may suffer much greater scrutiny from the field for its “lack of adequate, timely notification of the event.”

Breakwater Solutions’ Kevin Novak

“Security professionals around the world are debating the list of compromise possibilities based on the pictures posted about the hack, but no definitive word has been shared by Okta,” he said.

Customers Can’t Just ‘Switch Off’ Okta

If hackers compromised Okta’s environment, companies can’t “simply flip a switch” and authenticate/authorize on a different platform, Novak said. Embedded platforms require time to swap.

“While some have made conjectures about whether this hack contributed to another breach here or there, it would seem that a full compromise of Okta’s backend would have become far more obvious by now, but we’ll see more over the next few months,” he said.