Microsoft has confirmed reports that it was hacked by the Lapsus$ extortion group, also known as DEV-0537. While admitting that the hackers managed to steal source code, the company is simultaneously trying to downplay the incident.
Lapsus$ shared a 37GB archive online containing partial source code for Cortana and Bing, but Microsoft insists that no customer data was compromised. The company says that "our investigation has found a single account had been compromised, granting limited access."
In a leaked screenshot, the hackers brag about gaining access to an Azure DevOps repository which is home to source code for all manner of Microsoft projects including Bing and Cortana. Having already hacked the likes of Samsung, NVIDIA and Vodafone, the claims made by Lapsus$ are entirely feasible, but for now Microsoft is saying nothing about what -- if anything -- has been stolen.
Samsung appears to have fallen victim to a serious security breach if the leaks from data extortion group Lapsus$ are anything to go by.
Amounting to a colossal 190GB of data, the group says it has in its possession Samsung source code and other confidential company data. It is just days since the Lapsus$ claimed responsibility for a hack that resulted in data being stolen and leaked from data stolen from GPU chipmaker NVIDIA.
Data breaches, cyberattacks and security concerns are growing exponentially in the digital climate, as new development practices, extra languages, and structural frameworks appear -- compounded by geopolitical tensions giving rise to state sponsored attacks. In 2022 to date, 39 percent of UK businesses have already experienced the disruption and costly consequences of cyberattacks. Some of the largest enterprises, such as Microsoft, T-Mobile, and Vodafone, have experienced attacks by highly organized groups, such as Lapsus$.
With the scale, type of attacks and target industries constantly evolving, the healthcare sector has joined financial services and the public sector in becoming a lucrative target. Healthcare data breaches reached an all-time high in 2021, impacting 45 million people -- personal health information (PHI) became worth more than credit card information on the dark web. Attack approaches are constantly evolving, with hackers searching for any weak links in growing infrastructure.
Digital identity is the new currency, and adversaries are chasing wealth. Research shows that 61 percent of data breaches are the result of compromised credentials. This is a common fraudster tactic, whereby using legitimate credentials allows them to avoid detection as they gather intelligence and stolen data that will allow them to undertake further fraudulent transactions.
Fundamental to the defense of systems is access control, but it has its limits. Attackers are continuously trying to circumnavigate these systems to access accounts, with login and payment flows frequently targeted. This is why many organizations have invested in anti-fraud technologies to detect and mitigate against such attacks.
Code signing certificates are an essential part of our software world. Every software update is signed with a unique machine identity, combining a time stamp with an encryption algorithm in the form of a x.509 certificate issued by a trusted certificate authority. This allows other machines to know they are authentic and can be trusted.
Developers sign their code with a private key, and an end-user uses the public key from that developer to validate that the code hasn’t changed since the developer signed it. If someone has altered the code, the signature will provide an untrusted alert, in the same way a website with an untrusted or expired certificate does with transport layer security (TLS) machine identities. Without this system of identity, it would be impossible to deliver software. Without this you couldn’t use Windows, Mac, or iPhone let alone fly on a modern Airbus or Boeing aircraft. And it’s quickly becoming the same way in the cloud-native world of Kubernetes.
More and more organizations are enrolling users in Multi-Factor Authentication (henceforth referred to as MFA) wherein a secondary form of authentication takes place following a user inputting their credentials into a service to ensure a user is who they say they are. It’s an added layer of security and authentication that can help prevent compromise. But this isn’t bulletproof.
Recently a few blog posts and papers have begun to come out detailing a bypass technique known as "MFA bombing", "MFA Fatigue", "Push Notification Spamming", and many other terms, detailing high-profile threat actors such as LAPSUS$ who have abused the technique to gain access to otherwise protected areas. The technique was one we at Lares (and other red teams!) have used with overwhelming success in the past. We know it as Push Fatigue.
In early March 2022, authentication security company Okta reported that there had been an attempt to compromise the account of a third-party customer support engineer from Sitel in January. The organization released a statement claiming that the matter had been investigated and contained.
Okta CSO David Bradbury later admitted that up to 366 customers may have been breached, apologizing for not notifying customers earlier. In the weeks since the attack, Okta has released a conflicting statement arguing that the attack affected just two customers, although this is perhaps naïve and hard to prove. Okta has said it recognizes the broad toll this kind of compromise can have on customers, but there is little to suggest that the attackers aren’t already lying dormant inside the networks of further customers.
Microsoft has released a new optional update for Windows 11 in the form of the KB5011563 preview. The update takes Windows 11 up to build 22000.593, and as well as fixing numerous problems with the operating system, it also introduces an important change to the way notifications work.
The KB5011563 update has previously been released to Windows Insiders, but now the preview version is available for anyone who wants it to install ahead of its full release this coming Patch Tuesday. Among the fixes included in this update are a patch for an issue that causes OneDrive to lose focus, and a speed boost for slow start times.
Google has released an emergency patch for the Windows, macOS and Linux versions of Chrome after the discovery of a zero-day vulnerability that the company says is being actively exploited.
The security fix comes as Microsoft releases a patch of its own for the same vulnerability (CVE-2022-1096) in Edge, its Chromium-based browser. While neither company has given much detail about the problem, Google describes it as being of high severity.
The idea of clickbait is nothing new. Sensational headlines have been used since the early days of the press to draw in users, and it is something that has continued into the internet age. But there is also a related problem that blights social media platforms such as Facebook: watchbait.
The idea is much the same as a clickbait headline; videos are given misleading, overblown headlines and descriptions that often omit key details in a bid to get people to watch to the end. Now Meta has announced that it is taking action, including using an automatic detection system that will reduce the distribution reach of offending videos.
The Federal Communications Commission has added Kaspersky to its blacklist in a move that has been branded as political. The FCC says that the Russian security firm has been "deemed to pose an unacceptable risk to the national security of the United States or the security and safety of United States persons".
What this means in practice is that Kaspersky is ineligible to receive FCC funding, joining companies such as Huawei and ZTE. Kaspersky has also been sanctioned by HackerOne, with its bug bounty program being indefinitely suspended.
The future of the web, or the web of the future? Whichever way you look at it, the web as we know it is in a state of constant and necessary evolution. There are many companies contributing to this, but browser developers have major roles to play -- Mozilla included.
The Firefox maker has set out, in broad strokes, its vision of the changes wants to see. In all, there are nine key areas that Mozilla wants to focus its efforts on, including encryption, accessibility, privacy, and breaking down language barriers.
When we write about PowerToys, it is usually about new releases and the new features that have been added; but not always. For instance, Microsoft has issued a warning that the popular utilities collection may be causing problems for some people, specifically with previewing PDF files in Outlook.
If you have seen an error message that read "This file cannot be previewed because there is no previewer installed for it", Microsoft has a couple of solutions for you. One relates to Adobe Acrobat Reader and the other to PowerToys.
With Windows 11 now very much Microsoft's focus, it might come as something of a surprise to find that the company is still adding things to Windows 10 -- but with the release of the KB5011543 update, this is precisely what is happening.
This is a preview of the update that will be officially released on April's Patch Tuesday, and it is designed for Windows 10 20H2, Windows 10 21H1 and Windows 10 21H2. What can you expect in this update? In addition to the arrival of search highlights -- with slightly different looks for enterprise users and ordinary consumers -- there are numerous bug fixes, and changes to the Action Center.