Lapsus$ hackers compromised Microsoft’s DevOps server and exfiltrated source code for several products.
The Redmond, Washington-based tech company confirmed the breach and clarified that only a single account had been compromised and no customer data was accessed.
Tracked by Microsoft as DEV-0537, Lapsus$ operates on a “pure extortion and destruction model without deploying ransomware payloads.”
The group started its operations by targeting organizations in the United Kingdom and South America before expanding globally. Its recent high-profile victims include Okta, Samsung, Nvidia, and Ubisoft.
Lapsus$ hackers publish Microsoft’s source code
The group claims to have hacked Microsoft and stolen the source code for Bing, Bing Maps, and Cortana voice assistance.
On March 20, 2022, Lapsus$ hackers published 9GB of source code for 250 projects allegedly stolen from Microsoft. Then on March 22, the threat actors published another 37 GB of source code exfiltrated from Microsoft’s compromised Azure DevOps server.
Security researchers analyzed the source code and suggested that the repositories appeared legitimate. Additionally, they found communication emails and internal engineering documentation, likely from Microsoft.
However, the source code leak did not affect desktop software like Microsoft Windows or Microsoft Office. It only impacted the tech giant’s web infrastructure, websites, and mobile apps.
Microsoft confirmed the data breach but assured its customers that the source code leak does not expose them to an elevated risk of cyberattacks.
“Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk,” the company stated.
Similarly, the group’s admission gives credence to Microsoft’s claims. Lapsus$ claims to have accessed only 45% of Bing and Cortana’s source code, and 90% of Bing Maps’ source code.
“Attackers attack Microsoft and Okta because they know the value of identity,” Rajiv Pimplaskar, CEO of Dispersive Holdings, said. “Identity, not apps, not servers, not devices is the important component in the cyber security world. It is amazing that so many companies still use the required access reviewed – required in so many compliance measures (SOX, SOC2, HIPAA/HITRUST, ISO 270001, PCI-DSS, CMMC) as a check box.”
How does Lapus$ compromise its victims?
Microsoft’s threat intelligence and response teams published a blog post listing Lapsus$ hackers’ tactics, techniques, and procedures (TTPs).
According to Microsoft, the hacking group Lapsus$ deploys the RedLine stealer to harvest login credentials and security tokens. Similarly, the hacking group buys stolen login credentials from underground forums and searches public repositories for exposed credentials.
Additionally, Lapsus$ hackers pay employees, suppliers, and partners to sneak them past multifactor authentication (MFA).
On March 10, the group posted on its Telegram channel that it was recruiting insiders in high-profile software companies like Microsoft, Apple, IBM, EA, and telecommunications firms such as AT&T and Telefonica.
The group also sought to recruit insiders at call centers like Atento and Teleperformance and server hosting providers like OVH and Locaweb. Additionally, Lapsus$ invited outsiders with access to the targeted companies’ virtual private networks (VPNs) and virtual desktop infrastructure (VDIs).
According to Microsoft, Lapsus$ hackers also leverage social engineering tactics, SIM swapping scams, email accounts takeover, and intrusion into ongoing communications.
“For organizations using MFA security, DEV-0537 used two main techniques to satisfy MFA requirements–session token replay and using stolen passwords to trigger simple-approval MFA prompts hoping that the legitimate user of the compromised account eventually consents to the prompts and grants the necessary approval,” Microsoft wrote.
Microsoft noted that Lapsus$ hackers do not cover their tracks and publicly announce their intent to buy access to targeted organizations on social media.
Saryu Nayyar, CEO and Founder of Gurucul, said insider threats had become more prevalent and usually accompanied external attacks.
“This has been more common when insiders are recruited by external groups based on nation-state attack objectives seeking to gain access to networks, steal intellectual property or gain further intelligence on individuals,” Saryu said.
Microsoft recommends the implementation of MFA as the first line of defense against Lapsus$ hackers. The tech giant also recommends creating awareness of social engineering tactics, requiring healthy and trusted endpoints, strengthening and hardening cloud posture, and using modern authentication for VPNs.
“The attack on Microsoft follows the typical pattern we are seeing from the Lapsus$ extortion gang, including the recent attack on computer hardware manufacturer Nividia,” Darren Williams, CEO and Founder, BlackFog, said. “The Lapsus$ gang, in particular, has ramped up attacks in March and which further highlights that the traditional defensive approaches that have been historically relied on are failing organizations today.”