Microsoft system was hacked.
A blog posted on Tuesday, published hours after Lapsus$ released a torrent file containing some source code for bing, bing maps, and Cortana Microsoft, revealed that an employee’s account had been hacked. A hacking group penetrated in, granting attackers limited access to Microsoft systems and allowing the company’s source code to be stolen.
Microsoft added that no customer code or data was compromised.
Microsoft said that their cybersecurity response teams quickly engaged to remediate the compromised account and prevented further activity. Microsoft does not rely on code secrecy as a security measure, and viewing the source code does not result in increased risk. Their team investigated the compromised account based on threat intelligence when the actor went public with his hack. This public disclosure enhanced their actions, allowing their team to intervene and disrupt the agent’s midstream, limiting the broader impact.
The attacks initially targeted organizations in South America and the United Kingdom, although Lapsus$ has since, expanded to global targets, including governments and industry companies, technology, telecommunications, media, security, retail, and healthcare.
The group, which the tech giants track as DEV0537, operates with a pure blackmail and sabotage model and, unlike other hacking groups, doesn’t appear to be traced, according to Microsoft, it could be a nod to the public. Teams use several methods to gain initial access to an organization, often focusing on compromising users’ identities and accounts. Besides recruiting employees to targeted organizations, these include purchasing credentials from dark web forums, searching public repositories for exposed credentials, and deploying submissions to steal red line passwords.
Lapsus$ then used the compromised credentials to gain access to the target. A group of hackers managed to break through the corporate internet system and devices, such as, remote desktop infrastructure, virtual private network, or identity management services, like Okta. Microsoft claims that, in at least one compromise, Lapsus$ performed a SIM-swapping attack to gain control of employees’ phone numbers and text messages to access multi-factor authentication codes ( MFA) required to connect to an organization.
After obtaining network access, Lapsus then used publicly available tools to collect the organization’s user account information in search of employees with higher privileges or broader access, then targeted development and collaboration platforms, such as Jira, Slack, and Microsoft Teams, where credentials were stolen elsewhere. The hacking team also used these credentials to access source code repositories on GitLab, GitHub, and Azure DevOps, just as the Microsoft attack.
Microsoft added that in some cases, DEV0537 even called the organization’s help desk and attempted to convince the support agent to reset the credentials for a privileged account. The team used previously collected information and asked an English-speaking native caller, to speak to a help desk worker to enhance the social engineering appeal, there.
The Lapsus Gang has established a dedicated infrastructure. It has a well-known virtual private server (VPS) provider and leverages the consumer-grade NordVPN virtual private network service to filter data, even using VPN servers that were geographically located close to their target to avoid triggering network detection engines. The data stolen by the hackers will then be used for future blackmail or publicity.
The Lapsus$ hacking group has made a name for itself in the past few weeks, affecting several top companies including Nvidia and Samsung. Earlier this week, its latest victim was revealed to be Okta after the gang released screenshots of the identity giant’s internal systems. Okta confirmed the breach, which it said was caused by Lapsus$ making a compromise with a third-party customer support engineer, and said it affected about 2.5% of its 15,000 customers.
It is currently unknown why Okta has not yet notified its customers of the intrusion, which occurred over five days in January, up to date.