DecryptedTech

Monday03 October 2022

Sean Kalinich

Sean Kalinich

Lat week we reported on the quick change in Okta’s stance on a January security incident that turned out to be much larger and have the volatile hacking group Lapsus$ behind it. The original disclosure was that a single third-party contractor account had an unsuccessful attempt to compromise Okta’s systems. Okta states that they turned over information around the incident to Sitel, the third-party that provides customer support. Once this was done, Okta basically washed their hands of it and sat back waiting to hear what Sitel found.

On the 22nd of March Okta finally confirmed that they were breached in January for a period of 5 days. The breach, according to information now disclosed, happened due to the compromise of an account of a support engineer. The compromised user was not an Okta employee but belonged to a third party engineer working for Sitel. This event was downplayed by Okta as they claimed only the account was impacted and no clients were known to be exposed at the time.

Once again Google has been caught with their hands in the personal data collection cookie jar. It seems that their Messages and Phone Dialer Apps were sending information about your calls and messages without giving the user any chance to opt-out of this data collection. They also perform this data collection without any user notification at all.

Microsoft has finally acknowledged the attack and theft of source code by the Lapsus$ group (tracked as DEV-0537). According to the announcement, a single user account was compromised to gain limited access to their systems and source code. The public confirmation which Microsoft published late Tuesday (March 22, 2022) not only includes details about the attack on Microsoft, but also some detailed information about the TTPs (tactics, techniques, and procedures) used by the group.

Earlier today we covered the leak of Microsoft source code by the Lapsus$ group. The group leaked a portion of the data they claim to have stolen in the form of a 37GB dump. This dump has added to the source code they have stolen and released from companies like NVIDIA and Samsung. Lapsus$ has a pattern of compromising an organization, stealing data and then demanding money to not release the information, only to release the information anyway.

Yesterday we reported that the source code stealing group, Lapsus$, claimed they have breached and stollen source code from Microsoft. They made the announcement on their Telegram account by posting a screenshot of the projects they claimed to have access to. Now, as with other leaks, they have dropped a compressed file (7zip) via Torrent which appears to contain around 37GB of source code.

Elden Ring, from developer FromSoftware seems to have a flaw that is allowing an interesting attack for PC players. The flaw allows invaders, malicious players that enter another player’s world to cause a game crash, this crash leads the player into an endless death loop once the player can get back online.

The Lapsus$ group has been in the news recently for theft of source code form some high-profile targets. These targets have included companies like NVIDIA, Samsung, Vodafone, and Ubisoft. The NVIDIA event was noteworthy as it included a claim that NVIDIA hacked the attackers back in order to encrypt the data that have been taken out of their environment.

Phishing, regular and spear, is a very common method of compromising accounts and gaining access to a network. In many incidents, the initial compromise can be traced back to a compromised account via some sort of phishing message. This happens despite the many hours and dollars spent towards educating users about the dangers of trusting messages sent to them.

Recently a SolarWinds Web Help Desk client reported an attempted attack on their externally facing Web Help Desk instance. The attack was caught by their EDR system which was able to block the attempt. However, the reported attack, after a review, has caused concern with SolarWinds who is now advising their customers to remove public access to avoid possible compromise.

Page 4 of 210