# Cloudilax

Okta And Microsoft Confirm Breach By LAPSUS$ Extortion Group

Microsoft and Okta, an authentication services provider, are investigating potential breach claims by the extortionist group, LAPSUS$.

Vice and Reuters first reported the development after the group posted some source codes and screenshots on its Telegram channel of what it claimed were the internal projects of companies.

The leaked 37GB archive shows that the extortionist gang may have accessed the repositories related to Microsoft’s Bing, Cortana, and Bing Maps, with the images highlighting Okta’s Atlassian suite and in-house Slack channels.

The hacking cartel wrote on Telegram that the security measures might be pretty poor for a service powering authentication systems to many of the largest corporations.

microsoft okta

Additionally, the extortionist group alleged that for the second time in a year, it breached LG Electronics (LGE).

An independent security researcher, Bill Demirkapi, noted that “LAPSUS$ groups appear to have obtained access to the Cloudflare tenant. They can reset employee passwords,” adding the company “failed to acknowledge any breach for at least two months publicly.”

LAPSUS$ has clarified that it did not breach Okta’s databases and that its focus was only on Okta customers. This could pose profound implications for other government agencies and organisations that rely on Okta to authenticate user access to internal systems.

”In late January 2022, Okta detected an attempt to compromise the account of a third-party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor,” Okta CEO Todd McKinnon said in a tweet.

“We believe the screenshots shared online are connected to this January event. According to our investigation, there is no evidence of ongoing malicious activity beyond the activity detected in January,” McKinnon added.

In response, Cloudflare said it’s resetting the credentials of okta employees who have had their passwords changed in the last four months, out of the abundance of caution.

The new entrant to the threat landscape focuses more on data theft and using it to blackmail the targets, unlike traditional extortionist groups that follow the double extortion playbook of stealing information from victims and then encrypting that information in return for a payment, 

Ever since it went active in late December 2021, the cybercrime gang has racked up many high-profile victims, which includes Impresa, NVIDIASamsung, Vodafone, Mercado Libre, and most recently, Ubisoft.

“Any successful attack against a service provider or software developer can have a further impact beyond the scope of that initial attack,” Mike DeNapoli, lead security architect of Cymulate, said in a statement. “Users of the services and platforms must be alerted that possible supply-chain attacks will need to be defended against.”

Related blogs