Microsoft has confirmed that the Lapsus$ hacking group managed to compromise an employee’s user account and steal the code, days after the group claimed to have infiltrated the software giant. No customer data or code was affected, Microsoft said, and the operation was halted by its security team. The company made the admission in a blog post outlining Lapsus$ tactics and offering advice on how to protect against it.
Microsoft Lapsus$ violation: “No client code or data was involved”
Microsoft says its cybersecurity team was already investigating the intrusion when Lapsus$ bragged on Sunday about compromising an employee’s account and stealing the company’s source code. “This public disclosure has intensified our action, allowing our team to step in and interrupt the actor mid-operation, thereby limiting broader impact,” the company wrote in its blog post. “Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity.”
“No code or customer data was involved in the observed activities,” he added. “Microsoft does not rely on code secrecy as a security measure, and viewing source code does not lead to increased risk.”
The confirmation adds another notch to the list of Big Tech targets $Lapsus has successfully breached. Having started targeting Brazilian institutions in 2020, Lapsus$ gained global notoriety earlier this month when it attacked chipmaker NVIDIA and electronics maker Samsung. Earlier this week, it claimed single sign-on provider Okta as its latest victim. The company said yesterday that an account was compromised in January; he then confirmed that some customer data could have been accessed.
In its blog post yesterday, Microsoft described Laspsus$ as a “theft and destruction motivated cybercriminal actor” that is “known for employing a model of pure extortion and destruction without deploying ransomware payloads.” Lapsus$ is exceptionally keen to draw public attention to his activities, he said, and uses a number of techniques that are unusual among the groups he follows.
How does Lapsus$ hack its victims?
Lapsus$’s modus operandi is to use social engineering techniques on its target’s employees to gain access to employees’ user accounts, Microsoft explained. It leverages the privileged access of these accounts to “enable data theft and destructive attacks against a targeted organization, often resulting in extortion.”
Content from our partners
Lapsus$ uses a number of techniques to gain initial access to its targets’ system. These include paying employees to share credentials, buying from dark web marketplaces, and finding code repositories that may contain login credentials.
In order to recruit employees, Lapsus$ announced that it wanted to buy credentials for its targets to induce employees or contractors to participate in its operation. For a fee, the willing accomplice must provide credentials and approve the MFA prompt or have the user install AnyDesk or other remote management software on a corporate workstation that allows the actor to take control of an authenticated system. In posts on its Telegram channel, Lapsus$ called out workers at telecom providers, software companies including Microsoft, hosting providers and contractors.
Once the group acquires credentials, they typically use them to access web-based systems such as VPNs, remote desktop infrastructures such as Citrix, or identity services such as Azure Active Directory or Okta. In some cases, Lapsus$ was able to bypass its victim’s multi-factor authentication (MFA) protections by resending previous legitimate prompts (a session token replay attack) or by using stolen passwords, in the hope that the user approves the access request.
Once inside an organization, the group examines code repositories and collaboration tools to find and compromise accounts with the highest access privileges. “In some cases, [Lapsus$] even called the organization’s help desk and tried to convince the support staff to reset credentials for a privileged account,” the Microsoft blog said.
Sensitive code or data is uploaded using virtual private servers “for future extortion or public release,” Microsoft said. “After exfiltration, [Lapsus$] often deletes target systems and resources. We observed the removal of resources both on-premises (eg, VMWare vSphere/ESX) and in the cloud to trigger the organization’s incident and crisis response process. »
Microsoft said Lapsus$ initially used the technique to target crypto exchanges, before moving on to Brazilian government agencies and now technology vendors. “[T]his group understands the interconnected nature of identities and trust relationships in modern technology ecosystems and targets telecommunications, technology, IT services and support businesses – to leverage their access from an organization to access partner organizations or suppliers,” he said.
How should companies protect themselves against Slip$?
To defend against Lapsus$ tactics, Microsoft recommends that organizations harden their MFA protections by applying it to all users, but avoid using SMS to approve access, as they can be easily impersonated. . Organizations should restrict network access to trusted devices and implement up-to-date authentication measures for web-based systems that take a risk-based authentication approach.
Microsoft is also advising companies to tighten their access policies for cloud-based systems, blocking all “high risk” login attempts from typical users and all “medium risk” attempts from privileged users.
Employees, especially IT help desk staff, should be trained to be aware of the latest social engineering attacks, Microsoft said. And communications between cybersecurity incident response personnel should be tightly controlled and monitored, as Lapsus$ is known to “watch and interfere” in such operations.
Okta Lapsus$ Update: Some Customer Data May Have Been Affected
After Lapsus$ claimed to have breached Okta this week, the company’s CEO said there was “no evidence” of malicious activity. However, in a blog post published yesterday, corporate security officer David Bradbury said: “We have concluded that a small percentage of customers – approximately 2.5% – have potentially been impacted and whose the data may have been accessed or processed.”
Okta revealed that a third-party customer support engineer’s account was compromised and an attacker gained access to his laptop for five days in January. “The potential impact to Okta customers is limited to the access available to support engineers,” the company said. “These engineers are not able to create or delete users, or upload customer databases. Support engineers have access to limited data – e.g. Jira issues and user lists – which were seen in the screenshots.”