Just a few hours after the hacker group Lapsus$ published evidence that Microsoft and the Okta authentication platform had been attackedand after two internal investigations, the two companies have confirmed that they have been victims of a hack. The first has done so, as pointed out by Muycomputer, after the group of attackers also published a file of almost 37 GB that contains part of the source code of Bing and Cortana.
As detailed in the Microsoft security blog, the group, which they identify as DEV-0537, gained access to a single account and stole part of the source code for some of their products. Apparently, Microsoft researchers have been following the group for several weeks, and point out that their goal is “gain high-level access, through stolen credentials, that enable data theft and destructive attacks on a targeted organization, often resulting in extortion. Tactics and objectives indicate that it is a cybercriminal actor motivated by theft and destruction«.
Despite these conclusions, from Microsoft they assure that the code leak suffered is not serious enough to raise the level of risk, and they also confirm that their response teams managed to stop the hackers when they were immersed in the attack and prevent keep attacking. The company also ensures that neither customer code nor any of their data was compromised.
As to okta, in addition to confirming the attack, which took place last January, its managers have admitted that it may have affected several hundred of its around 15,000 clients, approximately 2.5% of the total. This is confirmed by Company Security Officer, David Bradburya few hours after the publication of several screenshots related to a platform account and its Slack channel.
This attack has created quite a bit of alarm among Okta customers and security experts, given the popularity of the service in companies and entities around the world, and the access that a hacker could gain if Okta is attacked. But according to Bradbury, the Okta service as such has not been compromised, and what the attackers did in this case is to gain access to the laptop of an engineer who was providing technical support to the company.
Thus, according to Bradbury, “potential impact to Okta customers is limited to access support engineers have«. Furthermore, he recalls thatsupport engineers are also able to facilitate password resets and multi-factor authentication systems, but cannot get the passwords«.