What We Can Learn from the '0ktapus' and Lapsus$ Attacks

Written by Spyderbat | Dec 8, 2022 9:14:00 PM

Around the globe, organizations reported a total of 108.9 million breached accounts in Q3 this year, marking a 70% increase over the previous quarter and continuing a sharp upward trend in data breaches spanning nearly three years now. Notable targeted organizations in 2022 include a preeminent U.S.-based identity and access management company in January and a global ride share service in September. Both incidents were likely the work of an international extortion-focused hacker group Lapsus$ and both originated with phished or stolen multifactor authentication (MFA) credentials.

MFA Credential Theft from Okta and Uber

The attackers in the identity access and management incident – dubbed 0ktapus by security researchers – gained access to privileged credentials by texting employees links to fraudulent sites mimicking Okta’s the company’s authentication page. Users who opened the links were then prompted to verify their accounts by submitting their identity credentials, including MFA fields. With the compromised credentials, the attackers launched attacks on connected corporate IT systems. Similarly, the attack on Uber the ride sharing platform began with MFA credentials turned over by an employee to a hacker posing as a known colleague in texts and emails. Attacks of this nature and depth – experts at Yuga Labs have called the Uber breach a “total compromise” – should signal to the cybersecurity sector that MFA credential systems cannot be relied upon to eliminate the pervasive human element in successful cyberattacks.

Security experts have long known that human error accounts for the overwhelming majority – 88% – of successful data breaches. Authentication methods such as MFA significantly raise the bar for would-be hackers. An industry-trusted infosec guide, the Identity 101 Index, reports that MFA blocks nearly 100% of automated cyberattacks. Nevertheless, for attackers willing to craft customized ploys – going as far as mimicking company websites and posing as colleagues – MFA credentials do not necessarily provide any hardened technical barrier to ingress if employees are still willing to hand over authentication factors.

Complete Cloud Native Runtime Visibility with Spyderbat

While a rise in data breaches leveraging MFA credentials should have organizations reviewing their infosec policies and training, it raises an altogether different question for teams responsible for securing cloud environments. As the threat of breaches through human error will persist through any amount of training, what – if anything – can we do to insulate systems from intruders equipped with valid account credentials?

Although traditional industry answers have focused almost exclusively on increased preventative measures, Spyderbat’s runtime security platform introduces a game-changing approach grounded in runtime visibility throughout the entirety of your environment. In today’s multi-cloud environments running ever-changing container workloads, system visibility, and live activity monitoring have become increasingly elusive.

Using eBPF, Spyderbat captures an exhaustive live record of all processes and network activity across the runtime environments, including both what’s going on inside container workloads, the host itself, and activities going on between them. Spyderbat captures eBPF activities with their causal relationships for accurate intrusion prevention and to swiftly reveal root causes.

With complete runtime visibility, Spyderbat stops real attacks as they happen. Additionally, with the historical data of runtime changes that Spyderbat captures, organizations can codify expected runtime behavior as Policy- as-Code. Equipped with codified expectations, Spyderbat flags any suspicious runtime deviations, giving operators immediate insight into supply chain attacks, insider threats, misconfigurations, and other concerns.

To learn more and schedule a live demo, visit Spyderbat today.

View full post