The Lapsus$ hacking organization has verified that Microsoft has been hacked. Microsoft revealed in a blog post on Tuesday that a single employee’s account had been compromised by the hacking group, granting the attackers “limited access” to Microsoft’s systems and allowing the theft of the company’s source code. The blog post was published hours after Lapsus$ posted a torrent file containing partial source code from Bing, Bing Maps, and Cortana. Microsoft also stated that no customer data or code had been stolen.
Microsoft stated, “Our cybersecurity response teams rapidly engaged to fix the compromised account and prevent additional behavior.” “Microsoft does not use code secrecy as a security mechanism, and examining source code does not result in an increase in risk.” When the attacker publicly publicized their penetration, our team was already analyzing the compromised account based on threat intelligence. Our team was able to intervene and disrupt the actor mid-operation as a result of the public revelation, minimizing the larger harm.”
Microsoft hasn’t revealed how the account was hacked, but it has published an outline of the Lapsus$ group’s strategies, techniques, and processes, which the company’s Threat Intelligence Center, or MSTIC, has seen in several attacks. Initially, Lapsus$ targeted organizations in South America and the United Kingdom, but it has now extended to include governments and businesses in the technology, telecom, media, retail, and healthcare sectors.
According to Microsoft, the organization, known as DEV-0537, operates on a “pure extortion and destruction approach” and “doesn’t appear to disguise its traces,” unlike previous hacking groups. This is likely a reference to the group’s public recruiting of business employees to assist it carry out targeted operations. To acquire initial access to an organization, the group employs a variety of approaches, the majority of which focus on compromising user identities and accounts. These include acquiring credentials from dark web sites, scanning public repositories for exposed credentials, and installing the Redline password stealer, in addition to recruiting personnel at targeted firms.
The hacker gang then uses the acquired credentials to get access to a company’s internet-facing devices and systems, such as virtual private networks, remote desktop infrastructure, or identity management services, such as Okta, which they successfully infiltrated in January. Lapsus$ used a SIM swap attack to get possession of an employee’s phone number and text messages, according to Microsoft, in order to gain access to multi-factor authentication (MFA) codes needed to log in to a company.
After gaining access to the network, Lapsus uses publicly available tools to search through an organization’s user accounts for employees with higher privileges or broader access, and then moves on to development and collaboration platforms like Jira, Slack, and Microsoft Teams, where additional credentials are stolen. As with the Microsoft assault, the hacker organization utilizes these credentials to get access to source code repositories on GitLab, GitHub, and Azure DevOps. “DEV-0537 phoned the organization’s help desk in certain situations and tried to persuade support employees to reset a privileged account’s credentials,” Microsoft stated.
“To improve its social engineering lure, the group used previously obtained information (for example, profile images) and had a native-English-sounding caller chat with the help desk workers.” The Lapsus$ gang used consumer virtual private network (VPN) service NordVPN to exfiltrate data, even employing localized VPN servers that were physically close to its targets to avoid alerting network detection technologies. The stolen information is then either utilized for further extortion or made public.