Microsoft has confirmed that the Lapsus$ hacking group breached it.
In a blog post on Tuesday — published hours after Lapsus$ posted a torrent file containing partial source code from Bing, Bing Maps, and Cortana — Microsoft revealed that a single employee’s account was compromised by the hacking group, granting the attackers “limited access” to Microsoft’s systems and allowing the theft of the company’s source code.
Microsoft added that no customer code or data was compromised.
“Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity,” Microsoft said. “Microsoft does not rely on code secrecy as a security measure, and viewing source code does not lead to elevation of risk. Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.”
Microsoft hasn’t shared any further details about how the account was compromised but provided an overview of the Lapsus$ group’s tactics, techniques, and procedures, which the company’s Threat Intelligence Center, known as MSTIC, has observed across multiple attacks. Initially, these attacks targeted organizations in South America and the U.K.. However, Lapsus$ has since expanded to global targets, including governments and companies in the technology, telecom, media, retail, and healthcare sectors.
The group, which the technology giant is tracking as DEV-0537, operates with a “pure extortion and destruction model” and, unlike other hacking groups, “doesn’t seem to cover its tracks,” according to Microsoft, likely a nod to the group’s public recruitment of company insiders to help it carry out their targeted attacks. The group uses several methods to gain initial access to an organization, which typically focuses on compromising user identities and accounts. As well as the recruitment of employees at targeted organizations includes purchasing credentials from dark web forums, searching public repositories for exposed credentials, and deploying the Redline password stealer.
Lapsus$ then uses compromised credentials to access a company’s internet-facing devices and systems, such as virtual private networks, remote desktop infrastructure, or identity management services, such as Okta, which the hacking group successfully breached in January. Microsoft says that in at least one compromise, Lapsus$ performed a SIM swap attack to gain control of an employee’s phone number and text messages to gain access to multi-factor authentication (MFA) codes needed to log in to an organization.
After gaining access to the network, Lapsus then uses publicly available tools to explore an organization’s user accounts to find employees with higher privileges or broader access and then targets development and collaboration platforms, such as Jira, Slack, and Microsoft Teams, where other credentials are stolen. The hacking group also uses these credentials to gain access to source code repositories on GitLab, GitHub, and Azure DevOps, as it did with the attack on Microsoft.
“In some cases, DEV-0537 even called the organization’s help desk and attempted to convince the support personnel to reset a privileged account’s credentials,” Microsoft added. “The group used the previously gathered information (for example, profile pictures) and had a native-English-sounding caller speak with the help desk personnel to enhance their social engineering lure.”
The Lapsus$ gang set up a dedicated infrastructure in the known virtual private server (VPS) providers and leverages consumer virtual private network service NordVPN for exfiltrating data — even using localized VPN servers that were geographically close to their targets to avoid triggering network detection tools. Stolen data is then used for future extortion or publicly released.
Over the past few weeks, the Lapsus$ hacking group has made a name for itself, compromising several prominent companies, including Nvidia and Samsung. Earlier this week, its latest victim was outed as Okta after the gang posted screenshots of the identity giant’s internal systems. Okta confirmed the breach, which resulted from Lapsus$ compromising a third-party customer support engineer and impacting around 2.5% of its 15,000 customers.
It’s currently unclear why Okta didn’t notify its customers about the compromise, which occurred during a five-day window in January, until now.