🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
[Update]Detailed Analysis of LAPSUS$ Cybercriminal Group that has Compromised Nvidia, Microsoft, Okta, and Globant
Protect your organization from external threats like data leaks, brand threats, dark web originated threats and more. Schedule a demo today!
Schedule a DemoSource: A1 | Industry: IT & Technology | Region: USA | Category: Adversary Intelligence |
On 22nd March, 2022 the group claimed to leak Bing Maps, Bing and Cortana source code. Our threat Intelligence team has confirmed that these claims are true, shortly after there were official blogs from Microsoft and Okta confirming the breach.
The LAPSUS$ cyber-criminal group has been known to exploit the weakest link in the security chain of a corporate network: Human mistakes and bad practices.
They achieve initial access using the following tactics:
The next steps involve Privilege escalation and Post Exploitation:
Microsoft in an official blog today has stated the following:
“This week, the actor made public claims that they had gained access to Microsoft and exfiltrated portions of source code. No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity. Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.”
The leak contains 56484 directories, 333743 files and the source code for Cortana, Bing Maps and Bing. The aggregate size of the data leaked is 37.8 GB.
The leak also contains multiple sensitive endpoints like the one mentioned in the above screenshot. Similarly there are 135 .pfx files which are present in the leak. A pfx file contains the SSL certificate(public key) and the corresponding private key. These can in turn be used maliciously.
There are documentation files as well as internal pdf files:
By looking at the files we can conclude the following:
Okta has also released a statement earlier in the form of a blog stating:
“Okta detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider. As part of our regular procedures, we alerted the provider to the situation, while simultaneously terminating the user’s active Okta sessions and suspending the individual’s account. Following those actions, we shared pertinent information (including suspicious IP addresses) to supplement their investigation, which was supported by a third-party forensics firm.”
“After a thorough analysis of these claims, we have concluded that a small percentage of customers – approximately 2.5% – have potentially been impacted and whose data may have been viewed or acted upon. We have identified those customers and are contacting them directly. If you are an Okta customer and were impacted, we have already reached out directly by email. We are sharing this interim update, consistent with our values of customer success, integrity, and transparency”
In response to the above statement, Lapsus$ group has also released a message which can be summarized in the following points:
Globant in an official confirmation has not contested the claim of Lapsus$. Globant released the following statement:
“We have recently detected that a limited section of our company’s code repository has been subject to unauthorized access. We have activated our security protocols and are conducting an exhaustive investigation. According to our current analysis, the information that was accessed was limited to certain source code and project-related documentation for a very limited number of clients. To date, we have not found any evidence that other areas of our infrastructure systems or those of our clients were affected”
The 70 GB data leak contains public and private keys (SSH and SSL) present in the leak asa part of their source code. It consists of the following information for a number of their clients:
Credential files leaked:
Sensitive information and PII leaked:
SQL files leaked:
Lapsus Ransomware group emerged in early January 2022.
[email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Lapsus$ gang previously targeted an organization in Nepal and an investigation blog was published for the same mentioning the targeted CVEs.
CVEs targeted by Lapsus$ | |
CVE-2022-21702: XSS vulnerability in Grafana | CVE-2022-0510: XSS reflected in Packagist pimcore/pimcore prior to 10.3.1. |
CVE-2022-0139: Use After Free in GitHub repository radareorg/radare2 prior to 5.6.0 | CVE-2021-45328: URL Redirection to Untrusted Site (‘Open Redirect’) via internal URLs |
CVE-2021-45327: Trusting HTTP Permission Methods on the Server Side when referencing the vulnerable admin or user API | CVE-2021-45326: CSRF vulnerability exists in Gitea before 1.5.2 via API routes |
CVE-2021-45325: SSRF vulneraility exists in Gitea before 1.7.0 using the OpenID URL | CVE-2021-44957: Global buffer overflow vulnerability exist in ffjpeg through 01.01.2021 |
CVE-2021-44956: Two Heap based buffer overflow vulnerabilities exist in ffjpeg through 01.01.2021 | CVE-2021-44864: TP-Link WR886N 3.0 1.0.1 Build 150127 Rel.34123n is vulnerable to Buffer Overflow |
CVE-2021-34473: Microsoft Exchange Server Remote Code Execution Vulnerability | CVE-2021-31207: Microsoft Exchange Server Security Feature Bypass Vulnerability |
CVE-2021-26858: Microsoft Exchange Server Remote Code Execution Vulnerability | CVE-2021-26857: Microsoft Exchange Server Remote Code Execution Vulnerability |
CVE-2021-26855: Microsoft Exchange Server Remote Code Execution Vulnerability | CVE-2020-23852: A heap based buffer overflow vulnerability exists in ffjpeg through 2020-07-02 |
CVE-2020-23705: A global buffer overflow vulnerability through 2020-06-22 | CVE-2020-12812: An improper authentication vulnerability in SSL VPN in FortiOS |
CVE-2019-5591: A Default Configuration vulnerability in FortiOS | CVE-2018-13379: An Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) in Fortinet |
Nvidia was targeted by Lapsus$ group last month. Subsequently, earlier this month, malware samples began to appear in the wild, signed with Nvidia certificates. Some of these samples have got very low detection on VirusTotal because of the legitimate certificates attached, and hence could pose a threat. Following are the malware samples signed with stolen certificates:
SHA256 | |
0e1638b37df11845253ee8b2188fdb199abe06bb768220c25c30e6a8ef4f9dee | 9d123f8ca1a24ba215deb9968483d40b5d7a69feee7342562407c42ed4e09cf7 |
065077fa74c211adf9563f00e57b5daf9594e72cea15b1c470d41b756c3b87e1 | bcb1d8872831e54a3989d283bcd27560cc12f54f831874162a80dc9dcddf0b39 |
07ffa010ee48af8671fe74245bdfb54d9267aef748d9dc1fc8ca8df4966b871a | 26683864b9c90e43de444ca09d5b2806c26dd9402c2010d0799f1963fd584c23 |
a7c3ce181e5c3956bb6b9b92e862b6fea6d6d3be1a38321ebb84428dde127677 | 36fec39a0f826fccca47e1997239c510ba93861faadbe8292053287ba5ab991a |
0210a766da3e6d0cecbf166437a254c8ad6b380b077355a027fd0b7e3c2ccc9f | 939294c6593f8339609c4db3b4861289c0612851f1ff43573c03af2e108221d0 |
2f578cb0d97498b3482876c2f356035e3365e2c492e10513ff4e4159eebc44b8 | |
IPv4 | |
185.56.83.40 | 139.162.22.146 |
172.105.209.6 | 54.203.159.179 |
Domain | |
lapsus-group.com | [email protected] |
Impact | Mitigation |
The published credentials could enable other threat actors to gain access to the organization’s networks. The exposed Personally Identifiable Information (PII) could enable threat actors to orchestrate social engineering schemes, phishing attacks, and even identity theft. Since password reuse is a common practice, threat actors could leverage the exposed credentials to gain access to the users’ other accounts. Exposed IP addresses and login credentials can lead to potential account takeovers.The exposed confidential details could reveal business practices and intellectual property. | Reset the compromised user login credentials and Implement a strong password policy for all user accounts. Check for possible workarounds and patches while keeping the ports open. Use MFA (multi-factor authentication) across logins.Patch all vulnerable and exploitable endpoints. Monitor for anomalies, in user accounts and systems, that could be indicators of possible takeovers. |
Discover how to navigate and protect against Dark Web threats. Learn about cyber risks, real-time monitoring, and securing your digital presence.
On 23 October 2023, CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations.
Cyclops, now renamed as Knight also known as Cyclops 2.0, debuted in May 2023. The Cyclops group has successfully developed ransomware that can infect all three major platforms: Windows, Linux, macOS, ESXi and Android.
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
min read
[Update]Detailed Analysis of LAPSUS$ Cybercriminal Group that has Compromised Nvidia, Microsoft, Okta, and Globant
Source: A1 | Industry: IT & Technology | Region: USA | Category: Adversary Intelligence |
On 22nd March, 2022 the group claimed to leak Bing Maps, Bing and Cortana source code. Our threat Intelligence team has confirmed that these claims are true, shortly after there were official blogs from Microsoft and Okta confirming the breach.
The LAPSUS$ cyber-criminal group has been known to exploit the weakest link in the security chain of a corporate network: Human mistakes and bad practices.
They achieve initial access using the following tactics:
The next steps involve Privilege escalation and Post Exploitation:
Microsoft in an official blog today has stated the following:
“This week, the actor made public claims that they had gained access to Microsoft and exfiltrated portions of source code. No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity. Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.”
The leak contains 56484 directories, 333743 files and the source code for Cortana, Bing Maps and Bing. The aggregate size of the data leaked is 37.8 GB.
The leak also contains multiple sensitive endpoints like the one mentioned in the above screenshot. Similarly there are 135 .pfx files which are present in the leak. A pfx file contains the SSL certificate(public key) and the corresponding private key. These can in turn be used maliciously.
There are documentation files as well as internal pdf files:
By looking at the files we can conclude the following:
Okta has also released a statement earlier in the form of a blog stating:
“Okta detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider. As part of our regular procedures, we alerted the provider to the situation, while simultaneously terminating the user’s active Okta sessions and suspending the individual’s account. Following those actions, we shared pertinent information (including suspicious IP addresses) to supplement their investigation, which was supported by a third-party forensics firm.”
“After a thorough analysis of these claims, we have concluded that a small percentage of customers – approximately 2.5% – have potentially been impacted and whose data may have been viewed or acted upon. We have identified those customers and are contacting them directly. If you are an Okta customer and were impacted, we have already reached out directly by email. We are sharing this interim update, consistent with our values of customer success, integrity, and transparency”
In response to the above statement, Lapsus$ group has also released a message which can be summarized in the following points:
Globant in an official confirmation has not contested the claim of Lapsus$. Globant released the following statement:
“We have recently detected that a limited section of our company’s code repository has been subject to unauthorized access. We have activated our security protocols and are conducting an exhaustive investigation. According to our current analysis, the information that was accessed was limited to certain source code and project-related documentation for a very limited number of clients. To date, we have not found any evidence that other areas of our infrastructure systems or those of our clients were affected”
The 70 GB data leak contains public and private keys (SSH and SSL) present in the leak asa part of their source code. It consists of the following information for a number of their clients:
Credential files leaked:
Sensitive information and PII leaked:
SQL files leaked:
Lapsus Ransomware group emerged in early January 2022.
[email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Lapsus$ gang previously targeted an organization in Nepal and an investigation blog was published for the same mentioning the targeted CVEs.
CVEs targeted by Lapsus$ | |
CVE-2022-21702: XSS vulnerability in Grafana | CVE-2022-0510: XSS reflected in Packagist pimcore/pimcore prior to 10.3.1. |
CVE-2022-0139: Use After Free in GitHub repository radareorg/radare2 prior to 5.6.0 | CVE-2021-45328: URL Redirection to Untrusted Site (‘Open Redirect’) via internal URLs |
CVE-2021-45327: Trusting HTTP Permission Methods on the Server Side when referencing the vulnerable admin or user API | CVE-2021-45326: CSRF vulnerability exists in Gitea before 1.5.2 via API routes |
CVE-2021-45325: SSRF vulneraility exists in Gitea before 1.7.0 using the OpenID URL | CVE-2021-44957: Global buffer overflow vulnerability exist in ffjpeg through 01.01.2021 |
CVE-2021-44956: Two Heap based buffer overflow vulnerabilities exist in ffjpeg through 01.01.2021 | CVE-2021-44864: TP-Link WR886N 3.0 1.0.1 Build 150127 Rel.34123n is vulnerable to Buffer Overflow |
CVE-2021-34473: Microsoft Exchange Server Remote Code Execution Vulnerability | CVE-2021-31207: Microsoft Exchange Server Security Feature Bypass Vulnerability |
CVE-2021-26858: Microsoft Exchange Server Remote Code Execution Vulnerability | CVE-2021-26857: Microsoft Exchange Server Remote Code Execution Vulnerability |
CVE-2021-26855: Microsoft Exchange Server Remote Code Execution Vulnerability | CVE-2020-23852: A heap based buffer overflow vulnerability exists in ffjpeg through 2020-07-02 |
CVE-2020-23705: A global buffer overflow vulnerability through 2020-06-22 | CVE-2020-12812: An improper authentication vulnerability in SSL VPN in FortiOS |
CVE-2019-5591: A Default Configuration vulnerability in FortiOS | CVE-2018-13379: An Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) in Fortinet |
Nvidia was targeted by Lapsus$ group last month. Subsequently, earlier this month, malware samples began to appear in the wild, signed with Nvidia certificates. Some of these samples have got very low detection on VirusTotal because of the legitimate certificates attached, and hence could pose a threat. Following are the malware samples signed with stolen certificates:
SHA256 | |
0e1638b37df11845253ee8b2188fdb199abe06bb768220c25c30e6a8ef4f9dee | 9d123f8ca1a24ba215deb9968483d40b5d7a69feee7342562407c42ed4e09cf7 |
065077fa74c211adf9563f00e57b5daf9594e72cea15b1c470d41b756c3b87e1 | bcb1d8872831e54a3989d283bcd27560cc12f54f831874162a80dc9dcddf0b39 |
07ffa010ee48af8671fe74245bdfb54d9267aef748d9dc1fc8ca8df4966b871a | 26683864b9c90e43de444ca09d5b2806c26dd9402c2010d0799f1963fd584c23 |
a7c3ce181e5c3956bb6b9b92e862b6fea6d6d3be1a38321ebb84428dde127677 | 36fec39a0f826fccca47e1997239c510ba93861faadbe8292053287ba5ab991a |
0210a766da3e6d0cecbf166437a254c8ad6b380b077355a027fd0b7e3c2ccc9f | 939294c6593f8339609c4db3b4861289c0612851f1ff43573c03af2e108221d0 |
2f578cb0d97498b3482876c2f356035e3365e2c492e10513ff4e4159eebc44b8 | |
IPv4 | |
185.56.83.40 | 139.162.22.146 |
172.105.209.6 | 54.203.159.179 |
Domain | |
lapsus-group.com | [email protected] |
Impact | Mitigation |
The published credentials could enable other threat actors to gain access to the organization’s networks. The exposed Personally Identifiable Information (PII) could enable threat actors to orchestrate social engineering schemes, phishing attacks, and even identity theft. Since password reuse is a common practice, threat actors could leverage the exposed credentials to gain access to the users’ other accounts. Exposed IP addresses and login credentials can lead to potential account takeovers.The exposed confidential details could reveal business practices and intellectual property. | Reset the compromised user login credentials and Implement a strong password policy for all user accounts. Check for possible workarounds and patches while keeping the ports open. Use MFA (multi-factor authentication) across logins.Patch all vulnerable and exploitable endpoints. Monitor for anomalies, in user accounts and systems, that could be indicators of possible takeovers. |