How Lapsus$ exploited the failings of multifactor authentication

Earlier this week, Microsoft updated an advisory on the activities of Dev-0537, which has run a large-scale social engineering and extortion campaign against multiple organisations. The update highlighted the techniques used by the attackers and the risks of relying on centralised IT security and IT security processes.

Also known as Lapsus$, the group has run an extortion campaign in the UK and South America. It has now expanded to global targets, including organisations in government, technology, telecom, media, retail and healthcare.

According to Microsoft, Dev-0537 uses several tactics that are less often used by other threat actors tracked by Microsoft. “Their tactics include phone-based social engineering, SIM-swapping to facilitate account takeover, accessing personal email accounts of employees at target organisations, paying employees, suppliers or business partners of target organisations for access to credentials and multifactor authentication (MFA) approval, and intruding in the ongoing crisis-communication calls of their targets,” Microsoft warned in the advisory.

Microsoft said it had also found instances of the group successfully gaining access to target organisations by recruited employees – or employees of their suppliers or business partners. Dev-0537 advertised that it wanted to buy credentials for its targets to entice employees or contractors to take part in its operation.

Other techniques used by the attackers include deploying the malicious Redline password stealer to obtain passwords and session tokens, buying credentials and session tokens from criminal underground forums and paying employees at targeted organisations – or suppliers/business partners – for access to credentials and MFA approval. They also search public code repositories for exposed credentials.

Microsoft urged security chiefs to adopt detection and response processes similar to insider risk programmes, combined with short response timeframes needed to deal with malicious external threats.

According to the Microsoft Threat Intelligence Centre (MSTIC), the objective of Dev-0537 is to gain elevated access through stolen credentials that enable data theft and destructive attacks against a targeted organisation. It reported that the hackers focused their social engineering efforts to gather knowledge about their target’s business operations.

Such information includes intimate knowledge about employees, team structures, helpdesks, crisis response workflows, and supply chain relationships. Microsoft warned that examples of these social engineering tactics include spamming a target user with MFA prompts and calling the organisation’s helpdesk to reset a target’s credentials.

Microsoft warned that in organisations using MFA security, Dev-0537 has used session token replay and stolen passwords to trigger simple-approval MFA prompts, hoping that the legitimate user of the compromised account eventually consents to the prompts and grants the necessary approval.

Using the compromised credentials and/or session tokens, Dev-0537 then has access to internet-facing systems and applications. These systems most commonly include virtual private network (VPN), remote desktop protocol (RDP), virtual desktop infrastructure (VDI) including Citrix, or identity providers, including Azure Active Directory and Okta.

Identity management firm Okta is one of the companies impacted by the attack, which occurred through one of its subcontractors, Sitel, which owns Sykes, a company that provides Okta with contract workers for its customer support organisation.

On 23 March, Okta’s chief security officer, David Bradbury, apologised for the long delay between when Sitel was notified of the security breach and when it completed its investigation of the attack. He wrote: “I am greatly disappointed by the long period of time that transpired between our notification to Sitel and the issuance of the complete investigation report. Upon reflection, once we received the Sitel summary report, we should have moved more swiftly to understand its implications.”

According to Bradbury, the report from the forensic firm highlighted that there was a five-day window between 16 and 21 January 2022 when the threat actor had access to the Sitel environment. Support engineers have “super user” access to the support  tools – Jira, Slack, Splunk, RingCentral and Salesforce and the internal support application.

“This is an application built with least privilege in mind to ensure that support engineers are granted only the specific access they require to perform their roles,” said Bradbury in the blog post. “They are unable to create or delete users. They cannot download customer databases. They cannot access our source code repositories.”

In mid-February, the same hacking group breached Nvidia’s security, stealing 1 terabyte of data, including the usernames and passwords of more than 71,000 Nvidia employees.

Earlier this month, in a post covering state-sponsored cyber actors exploiting default MFA protocols, the FBI and the Cyber Information Security Agency (CISA) recommended organisations to enforce MFA for all users, without exception. They urged organisations to review configuration policies to protect against “fail open” and re-enrolment scenarios and implement time-out and lock-out features in response to repeated failed login attempts.

Along with enforcing strong passwords and security monitoring, the FBI and CISA also recommended that IT chiefs ensure inactive accounts are disabled uniformly across the Active Directory and MFA systems.