"Tactics and objectives indicate this is a cybercriminal actor motivated by theft and destruction."įollowing initial access, the group is known to exploit unpatched vulnerabilities on internally accessible Confluence, JIRA, and GitLab servers for privilege escalation, before proceeding to exfiltrate relevant information and delete the target's systems and resources.
"The objective of DEV-0537 actors is to gain elevated access through stolen credentials that enable data theft and destructive attacks against a targeted organization, often resulting in extortion," the company said. Discover why identity is the new endpoint. Identity is the New Endpoint: Mastering SaaS Security in the Modern Ageĭive deep into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. The financially motivated group's modus operandi has been relatively straightforward: break into a target's network, steal sensitive data, and blackmail the victim company into paying up by publicizing snippets of the stolen data on their Telegram channel. LAPSUS$, which first emerged in July 2021, has been on a hacking spree in recent months, targeting a wealth of companies over the intervening period, including Impresa, Brazil's Ministry of Health, Claro, Embratel, NVIDIA, Samsung, Mercado Libre, Vodafone, and most recently Ubisoft. "The potential impact to Okta customers is NOT limited, I'm pretty certain resetting passwords and MFA would result in complete compromise of many clients' systems," the gang elaborated. LAPSUS$ has also claimed in its rebuttal that Okta was storing Amazon Web Services (AWS) keys within Slack and that support engineers seem to have "excessive access" to the communications platform. That said, of particular concern is the fact that Okta failed to publicly disclose the breach for two months, prompting the cyber criminal group to ask "Why wait this long?" in its counter statement. As a result, it would be easy to spot compromised accounts based on the associated hardware keys." "The attacker would also need to change the hardware (FIDO) token configured for the same user. "In the case of the Okta compromise, it would not suffice to just change a user's password," web infrastructure company Cloudflare said in a post mortem analysis of the incident.
Microsoft data breach 2021 software#
The San Francisco-based cloud software firm also said it's identified the affected customers and that it's contacting them directly, stressing that the "Okta service is fully operational, and there are no corrective actions our customers need to take." Identity and access management company Okta, which also acknowledged the breach through the account of a customer support engineer working for a third-party provider, said that the attackers had access to the engineer's laptop during a five-day window between January 16 and 21, but that the service itself was not compromised.
"This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact," the company's security teams noted.
Microsoft data breach 2021 code#
The Windows maker, which was already tracking the group under the moniker DEV-0537 prior to the public disclosure, said it "does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk."
"No customer code or data was involved in the observed activities," Microsoft's Threat Intelligence Center (MSTIC) said, adding that the breach was facilitated by means of a single compromised account that has since been remediated to prevent further malicious activity. Microsoft on Tuesday confirmed that the LAPSUS$ extortion-focused hacking crew had gained "limited access" to its systems, as authentication services provider Okta revealed that nearly 2.5% of its customers have been potentially impacted in the wake of the breach.
0 kommentar(er)
