Microsoft has confirmed that it was breached by the Lapsus$ hacking group.
In a blog post on Tuesday — published hours after Lapsus$ posted a torrent file containing partial source code from Bing, Bing Maps and Cortana — Microsoft revealed that a single employee’s account was compromised by the hacking group, granting the attackers “limited access” to Microsoft’s systems and allowing the theft of the company’s source code.
Microsoft added that no customer code or data was compromised.
“Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity,” Microsoft said. “Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk. Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.”
Microsoft hasn’t shared any further details about how the account was compromised but provided an overview of the Lapsus$ group’s tactics, techniques and procedures, which the company’s Threat Intelligence Center , known as MSTIC, has observed across multiple attacks. Initially, these attacks targeted organizations in South America and the U.K., though Lapsus$ has since expanded to global targets, including governments and companies in the technology, telecom, media, retail and healthcare sectors.
The group, which the technology giant is tracking as DEV-0537, operates with a “pure extortion and destruction model” and, unlike other hacking groups, “doesn’t seem to cover its tracks,” according to Microsoft, likely a nod to the group’s public recruitment of company insiders to help it carry out their targeted attacks. The group uses a number of methods to gain initial access to an organization, which typically focus on compromising user identities and accounts. As well as the recruitment of employees at targeted organizations, these include purchasing credentials from dark web forums, searching public repositories for exposed credentials and deploying the Redline password stealer.
Lapsus$ then uses compromised credentials to access a company’s internet-facing devices and systems, such as virtual private networks, remote desktop infrastructure, or identity management services, such as Okta, which the hacking group successfully breached in January. Microsoft says that in at least one compromise, Lapsus$ performed a SIM swap attack to gain control of an employee’s phone number and text messages to gain access to multi-factor authentication (MFA) codes needed to log in to an organization.
After gaining access to the network, Lapsus then uses publicly available tools to explore an organization’s user accounts to find employees that have higher privileges or broader access, and then targets development and collaboration platforms, such as Jira, Slack and Microsoft Teams, where further credentials are stolen. The hacking group also uses these credentials to gain access to source code repositories on GitLab, GitHub and Azure DevOps, as it did with the attack on Microsoft.
“In some cases, DEV-0537 even called the organization’s help desk and attempted to convince the support personnel to reset a privileged account’s credentials,” Microsoft added. “The group used the previously gathered information (for example, profile pictures) and had a native-English-sounding caller speak with the help desk personnel to enhance their social engineering lure.”
The Lapsus$ gang set up a dedicated infrastructure in known virtual private server (VPS) providers and leverages consumer virtual private network service NordVPN for exfiltrating data — even using localized VPN servers that were geographically close to their targets to avoid triggering network detection tools. Stolen data is then used for future extortion or publicly released.
The Lapsus$ hacking group has made a name for itself over the past few weeks, compromising a number of prominent companies, including Nvidia and Samsung. Earlier this week, its latest victim was outed as Okta after the gang posted screenshots of the identity giant’s internal systems. Okta confirmed the breach, which it said was the result of Lapsus$ compromising a third-party customer support engineer and said it impacted around 2.5% of its 15,000 customers.
It’s currently unclear why Okta didn’t notify its customers about the compromise, which occurred during a five-day window in January, until now.