News

Microsoft confirms data breach by the Lapsus$ group

After leaking 37GB of source code from the DevOps Azure server on Monday night (21), Microsoft confirmed that one of its employees was compromised in the cyber attack promoted by the group Lapsus$ this Tuesday (22).

Confirmation came via a Microsoft blog post, in which the company explained that the hacked account gave limited access to source code repositories for internal projects, including for Bing, Cortana, and Bing Maps.

Image: BleepingComputer/Lapsus$

In a consultation on the authors of the threat, Microsoft stated that “no code or customer data was involved in the observed activities”. She added that she “does not rely on code secrecy as a security measure and viewing the source code does not lead to increased risk. The tactics DEV-0537 [a Microsoft está rastreando o grupo de extorsão de dados Lapsus$ como ‘DEV-0537] used in this intrusion reflect the tactics and techniques discussed in this blog.”

Microsoft claims that investigations of the compromised account were already underway “based on threat intelligence when the actor publicly revealed his intrusion.” Following the public disclosure, the company says it made it possible for the company’s team to “stop the actor’s operation mid-operation, limiting a broader impact.”

Lapsus$ Tactics and Techniques According to Microsoft

While not sharing how the account was compromised, Microsoft provided an overview of the tactics, techniques, and procedures (TTPs) seen in various attacks by the Lapsus$ group.

These credentials are obtained using the following methods:

  • Deploying malicious Redline password theft to obtain passwords and logins (the malware has become preferred for stealing credentials and is commonly distributed using phishing emails, ‘watering holes’, warez websites and YouTube videos)
  • Acquiring credentials and session cards in deepweb forums
  • Paying employees at target organizations (or vendors/business partners) for credential access and multi-factor authentication (MFA) approval
  • Searching public code repositories by exposed credentials

Once the group gains access to compromised credentials, they use them to access the company’s public interface devices and systems (VPNs, Virtual Desktop infrastructure, or identity management services—as in the Okta hack).

Microsoft also says they use session replay attacks for accounts that use AMF, or continually trigger AMF notifications until the user is exhausted, causing the user to confirm permission for the user to log in.

In at least one of the attacks, Lapsus$ carried out a SIM swap attack, which controls user phone numbers and SMS messages, to obtain the MFA codes needed to log into an account.

With network access, threat actors use AD Explorer to identify accounts with higher privileges and then target development and collaboration platforms (SharePoint, Confluence, JIRA, Slack, and Microsoft Teams), where other credentials are stolen.

Hacker leaks OpenSubtitles data

Photo: Mohamed Hasshan/Pixabay

These are also used to gain access to source code repositories on GitLab, GitHub, and Azure DevOps, as was the case with Microsoft.

“DEV-0537 is also known to exploit vulnerabilities in Confluence, JIRA and GitLab to increase privileges,” explains Microsoft in the report.

By running these applications, the group compromised the servers to “obtain the credentials of a privileged account or run in the context of said account and dump the credentials from there”.

In the final steps, the authors collect the valuable data and exfiltrate it via NordVPN connection to hide the location while carrying out destructive attacks on the target company’s infrastructure, triggering incident response procedures. They monitor such procedures through the victim’s Slack channels or Microsoft Teams.

Recommendations about Lapsus$ attacks

At the Microsoft reportthe company makes some recommendations to corporate entities to protect themselves against extortionists like Lapsus$:

  • Strengthen the implementation of the MFA;
  • Demand healthy and reliable endpoints;
  • Leverage modern authentication options for VPNs;
  • Strengthen and monitor your cloud security posture;
  • Improve awareness of social engineering attacks Establish operational security processes in response to DEV-0537 intrusions.

Via BleepingComputer

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *