Microsoft confirmed Tuesday that hacker group Lapsus$ gained “limited access” to the tech giant through a single compromised account while dismissing any elevation of risk from the attack.
In a blog post, Microsoft outlined how Lapsus$ attacks targets and acknowledged that the group used these tactics to force its way into the company.
“No customer code or data was involved in the observed activities,” according to the blog post. “Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity. Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.”
Lapsus$ – or DEV-0537, as Microsoft calls the group – said it breached internal source code repositories for Microsoft Azure DevOps in a post on messaging application Telegram on Sunday. The repository appears to show access to Bing- and Cortana-related projects.
“Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion,” according to the Microsoft post. “This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.”
The group has been active, previously targeting Okta, Nvidia, Samsung and other big tech companies. As many as 366 Okta customers might have had their data ‘acted upon’ following the Lapsus$ cyberattack against the identity security giant’s customer support subcontractor.
Information on Lapsus$
Lapsus$ uses a pure extortion and destruction model without ransomware payloads, according to Microsoft. Its earliest targets were in the United Kingdom and South America, but it’s expanded to government agencies, healthcare organisations and companies in a variety of sectors worldwide.
Lapsus$ advertises that it will buy credentials from employees of target organizations, uses subscriber identity module (SIM) swapping to take over accounts and intrudes on crisis communications of targets.
The group has also called organisations’ help desks to try to reset privileged accounts’ credentials using common recovery prompts such as “mother’s maiden name” and even using a fluent English speaking caller to speak with the help desk, according to Microsoft.
“Since many organisations outsource their help desk support, this tactic attempts to exploit those supply chain relationships, especially where organisations give their help desk personnel the ability to elevate privileges,” according to Microsoft.
Advice from Microsoft
To better defend against Lapsus$, Microsoft recommended that users strengthen multifactor authentication (MFA), require trusted endpoints, leverage modern authentication options for virtual private networks (VPNs), improve and monitor cloud security postures and train organizations in social engineering attacks, among other actions.
For MFA, users should avoid weak factors such as text messaging, secondary email addresses and voice approvals, instead using tools such as Fast Identity Online (FIDO) tokens, according to Microsoft.
For cloud security postures, because Lapsus$ uses legitimate credentials to gain access, security professionals should review Conditional Access user and session risk configurations and review risk detections in Azure Active Directory (AD) Identity Protection, among other actions.
Lapsus$ monitors and intrudes in incident response communications, so users should monitor these channels for unauthorised attendees and perform visual or audio verification, according to Microsoft.