May 28, 2022

Microsoft has confirmed that it has been hacked by the Lapsus$ hacker group.

In a blog post on Tuesday — hours after Lapsus$ posted a torrent file containing partial source code from Bing, Bing Maps and Cortana — Microsoft said an employee’s account had been compromised by a hacking group. This gave the attackers “restricted access”. “found. Allowing the theft of Microsoft systems and the company’s source code.

Microsoft stated that neither client code nor data was compromised.

“Our cybersecurity response teams took prompt action to recover the compromised account and prevent further action,” Microsoft said in a statement. “Microsoft does not rely on code confidentiality as a security measure, and viewing source code does not increase risk. Our team was already investigating the hacked account based on threat intelligence when the actor went public with his hack. This public disclosure enhanced our operations by allowing our team to intervene between the operation and interrupt the actor, limiting wider exposure. ,

Microsoft did not share any details about how the account was hacked, but did provide an overview of the strategy, methods, and processes of the Lapsus$ group, which is located at the company’s Threat Intelligence Center, known as MSTIC. many attacks. Initially, these attacks targeted organizations in South America and the UK, although Lapsus$ has since expanded to global targets, including governments and companies in technology, telecommunications, media, retail, and healthcare.

The group, which follows a tech giant like DEV-0537, uses a “pure extortion and destruction model” and, unlike other hacker groups, “doesn’t cover its tracks,” Microsoft said. recruits company insiders to help the group conduct targeted attacks. Groups use a number of methods to gain early access to an organization, usually to compromise accounts and user accounts. In addition to hiring employees from targeted organizations, these include buying credentials from dark web forums, searching public repositories, and deploying a password thief.

Lapsus$ then uses the compromised credentials to achieve its goal. The company’s Internet-facing devices and systems, such as VPNs, Remote Desktop Infrastructure, or identity management services such as Okta, were successfully compromised by a hacker group in January. Microsoft says that in at least one agreement, Lapsus$ allowed users to take control of an employee’s phone number and text messages to gain access to the multi-factor authentication (MFA) codes needed to sign into the organization.

Once Lapsus has access to the network, Lapsus uses public tools to track organizational user accounts to find employees with higher privileges or greater access than Jira, Slack, and Microsoft. Aimed at development and collaboration platforms such as The Detail hacker group also uses these credentials to access source code repositories in GitLab, GitHub, and Azure DevOps, in what appears to be an attack on Microsoft.

“In some cases, DEV-0537 even called the organization’s help desk and tried to convince the support staff to reset their privileged account credentials,” Microsoft said. “The group used previously collected information (such as profile photos) and an English-speaking caller to speak with support staff to increase their greed for social engineering.”

The Lapsus$ gang has set up specialized infrastructure at well-known virtual private server (VPS) providers and uses the NordVPN consumer virtual private network service to transfer data—even using localized VPN servers that are geographically close. One of his goals was to bring down the network. With the search tool activated. The stolen data is used for future extortion or exposure.

The Lapsus$ hacker group has made a name for itself in recent weeks by taking risks from several big companies, including Nvidia and Samsung. Earlier this week, the latest victim became known as Okta after the gang released screenshots of the identity giant’s internal systems. Okta confirmed the breach, which it says occurred through an agreement with third-party customer support specialist Lapsus$, and said it affected about 2.5% of its 15,000 customers.

It is currently unclear why Octa still hasn’t notified its clients of the settlement, which took place over five days in January.


Leave a Reply

Your email address will not be published.