Recently the threat actors known as DEV-0537 or LAPSUS$ have breached large and significant organizations, including Okta. Currently, Okta is reporting that 366 of their corporate clients were affected by this breach. If your organization utilizes Okta, we suggest contacting them to see if your organization was among those impacted and request information on any steps that should be taken to mitigate risk. If you are not among those currently impacted, we suggest continuing to follow the information as it’s released in case the impact was greater than originally stated.

Microsoft was also breached by DEV-0537, however, it seems as if only source code was compromised. According to the information that have been released, Microsoft user data was not impacted.

LAPSUS$ uses methods that allow the reset of passwords, redirection of MFA, and spamming MFA notifications to gain initial access. Once initial access is gained, their goal is data theft and extortion. They do this by accessing internet-facing systems like VPNs, RDP and VDI. Microsoft outlined recommendations on how to help mitigate this threat which we have outlined below.

Some of the Microsoft recommendations include:

  • Strengthen MFA implementation
    • Require MFA for all users coming from all locations – even those coming from on-prem systems
    • Avoid telephony-based MFA methods
    • Ensure that users are using easily guessed passwords
  • Leverage modern authentication options for VPNs
    • Use an option like OAuth or SAML connected to Azure AD to enable risk-based sign-in detection
  • Improve awareness of social engineering attacks
    • Educate your IT team to look for unusual contacts with colleagues
    • Make sure the team is looking for suspicious users
    • Educate employees about help desk verification practices

The full recommendation list from Microsoft can be found HERE.