Microsoft, Okta Share Details on Recent Lapsus$ Cyberattacks
Read also: Italy’s state railway operator halts ticket sales due to a suspected cyberattack, malicious npm packages target Azure developers, and more.
Thursday, March 24, 2022
Microsoft, Okta confirm Lapsus$ cyberattacks
The Lapsus$ hacker group, which caused quite a stir in cybersecurity community over the past few weeks, is continuing to attack major technology firms, with the Windows maker Microsoft and identity authentication company Okta being the latest victims.
On March 22, Lapsus$ leaked 37GB of source code stolen from Microsoft’s Azure DevOps server, including source code for Bing, Cortana, and other projects. The hackers claimed the data included 90% of Bing's source code and 45% of Cortana and Bing Maps code.
Microsoft confirmed the hack in a blog post, and explained that the attackers compromised a single account, granting a limited access. The company said that no customer code or data was impacted by the incident.
As for Okta, the identity services provider admitted it was hit with a Lapsus$ cyberattack that may have impacted a small portion (2.5%) of its customers. Okta said in a statement that its service has not been breached, but admitted that an account of a third-party support engineer working with the company was compromised back in January.
An investigation into the incident revealed that the Lapsus$ attackers had access to the support engineer's laptop for five days, “between January 16-21, 2022.” While support engineers have access to limited data (Jira tickets and lists of users) and are able to facilitate the resetting of passwords and multi-factor authentication factors for users, they are not able to obtain those passwords, the company said.
Bloomberg reported on Wednesday that security researchers investigating the Lapsus$ attacks have traced them to a 16-year-old teenager from England who they believe is the mastermind behind the cybercriminal operation.
QNAP NAS devices targeted by the Deadbolt ransomware
QNAP network-attached storage (NAS) devices had been hit with a new wave of Deadbolt ransomware attacks, in which attackers encrypt files stored on vulnerable devices and demand a 0.03 bitcoin ransom for a decryption key.
A surge in infections was observed on March 16, when the number of Deadbolt-infected devices stood at 373, but within three days had increased to 1,146 infected devices, with the majority of them running the QNAP QTS Linux kernel version 5.10.60.
Italy’s state railway operator halts ticket sales after detecting signs of a cyberattack
Italian state railway operator Ferrovie dello Stato Italiane (FS) has suspended some ticket sale services due to a suspected cyberattack. The company said in a statement that it detected “elements that could be linked to a cryptolocker infection” on the computer network of Trenitalia and RFI.
The operator temporarily halted ticket sales at its offices and self-service machines in train stations as a preventive measure, online ticket sales and railway traffic were not affected.
Nestlé disputes Anonymous’s claims, says it leaked its own data
Swiss food giant Nestlé has downplayed claims from the hacktivist collective Anonymous that announced the leak of 10GB of data (including emails, passwords and customer information) allegedly belonging to the multinational conglomerate.
Nestlé, however, said that the claim of a cyberattack against the company and subsequent data leak has “no foundation.” According to the food giant, the “leaked” data actually relates to a February incident when the company accidentally published online “some randomised and predominantly publicly available test data of a B2B nature.” After conducting the investigation into the matter the company decided that no further action was necessary.
Hundreds of malicious npm packages caught targeting Azure developers
Security researchers detected a large-scale supply chain attack aimed at Azure developers involving over 200 malicious npm packages. The researchers have identified as many as 218 malicious packages in the npm Registry containing information stealing malware.
The threat actor used the typosquatting infection technique to trick developers into downloading malicious versions with the same name as their existing @azure scope packages, but without the scope.
The entire set of malicious packages was reported to npm maintainers, after which they were quickly removed from the registry.
What’s next:
- Follow ImmuniWeb on Twitter and LinkedIn
- Subscribe to newsletter to get the next post automatically
- Explore 18 use cases how ImmuniWeb can help
- See the benefits of our partner program
- Request a demo, quote or special price
- Subscribe to our newsletter
Application Security Weekly is a weekly review of the most important news and events in cybersecurity, privacy and compliance. We cover innovative cyber defense technologies, new hacking techniques, data breaches and evolving cyber law. 
