Microsoft Attack: How PAM enables you to reduce cyberattack risks

Each day more news of cyber attacks come up in the media, involving from Small and Medium Enterprises (SMEs) to large business conglomerates. These attacks can have several motivations: they can only serve as alerts for organizations to increase their cybersecurity maturity; steal the data to resell it on the Deep Web; cause harm to the organization; or carry out extortion. This is in addition to the operational and image losses that organizations can suffer, which can be incalculable. It is important to emphasize that cybersecurity risks are increasingly associated with business risks, and must be considered by senior management when defining their business strategies. 

The Lapsus$ cyber gang has been doing quite a bit of damage these past few days. Okta and Microsoft are among the targets of successful attacks by DEV-0537, as the gang is called by the developer of Windows. Do you want to understand how the attacks on Microsoft and Okta occurred, and how the attacks could be prevented or minimized? Read this article until the end and we will explain.

Lapsus$ started its activities targeting organizations in the UK and South America. The cyber gang then expanded its actions to global targets, including government, technology, telecom, media, retail and healthcare. In both Microsoft and Okta cases, the malicious attackers used privileged credentials to carry out their attacks. According to the Verizon 2021 Data Breach Investigations Report, 61% of cyberattacks involved privileged credentials. But why are high-privilege credentials among cybercriminals’ favorite targets?

 Well, the main reason for the high rate of attacks through privileged credentials is because they allow the execution of a series of administrative activities in the environment. Transferring resources in an ERP system or changing the settings of a firewall or email server are some of the activities that can be performed using this type of credential. It’s no wonder they’re also called “keys to the kingdom”: privileged credentials give you unlimited access to your organization’s most critical devices, applications, and data.

 It is also worth remembering that Lapsus$ uses Social Engineering as a technique to gain access to privileged credentials, as well as in 35% of cyber attacks, according to the Verizon report. Techniques used by Lapsus$ include SIM Swapping, paying employees and third parties in exchange for their credentials or configured MFAs, or Social Engineering over the phone.

In the case of Okta, according to its CSO, the malicious attackers had access to a device of a Support engineer in a time window of six days, between January 16 and 21, 2022. Also according to the Okta executive, the cyber attack affected a low percentage of customers – approximately 2.5% or 400 customers.

Microsoft’s investigation of the incident found a compromised privileged account, which allowed access to their environment. However, the malicious attackers were not able to access personal data, such as customers, but they had access to the company’s source code, although Microsoft does not consider this fact serious.

To help organizations manage and protect their privileged credentials, there is Privileged Access Management, or PAM. According to Gartner, PAM solutions help organizations provide privileged access to critical assets and achieve compliance by managing and monitoring privileged accounts and access.

Also according to Gartner, it is impossible to manage privileged access risks without specific Privileged Access Management tools. But how can the senhasegura PAM security platform help prevent, detect and remediate cyberattacks such as those that occurred with Okta and Microsoft?

senhasegura offers an approach based on the privileged access lifecycle: from the actions performed before, during and after access.

Initially, senhasegura offers Credential Management features, which allow the user to view the password of a credential to access a device or application. senhasegura also allows you to configure criteria for password change, such as number of uses, specific date and time, or elapsed time.

 senhasegura also offers Remote Session Management functionality, which further increases security in relation to pure credential management. In this case, senhasegura records and stores all remote sessions carried out through the solution.

senhasegura’s Threat and Behavior Analysis allows the identification and response to any change in behavior patterns and user access profiles. In case of detection of suspicious access, the LiveStream functionality allows the Information Security team to monitor all actions performed by the user, being possible to block or interrupt the session in case of suspicious behavior.

 All actions performed by users through remote sessions on senhasegura are logged. In this case, the Security team is able to search for specific commands performed by the user, allowing them to easily find potentially malicious ones.

 Finally, senhasegura offers senhasegura Domum, which provides secure remote access for employees and third parties, providing Zero Trust-based access without the need for additional configuration, such as VPN, or access to the PAM solution. All of this with all the security features already offered by the PAM platform.

 We have seen that when it comes to cybersecurity, the question is not “if” the attack will occur, but when. Many of these cyberattacks involve privileged credentials, also called “keys to the kingdom”. According to Gartner, it is impossible to manage the risks associated with privileged access without specific tools. senhasegura offers a complete PAM platform, which covers the entire privileged access lifecycle. In this way, it is possible to quickly detect potentially malicious actions, thus allowing the reduction of operational costs in addition to compliance with regulatory requirements and security policies.