In an extensive statement posted on its security website, the Microsoft acknowledged having been a victim of Lapsus$ Group. After breaking into an Azure DevOps server, the group’s hackers extracted and leaked source code for services such as Bing e Cortana. The company claims, however, that the action was mitigated and that customer data was not compromised.
It’s not the first time Microsoft has dealt with a security breach on its systems. But this is probably one of the most serious incidents the company has ever faced. Earlier this week, Lapsus$ shared a file that, when unzipped, corresponds to a volume with 37GB of data.
As it is already clear, the package mainly includes source codes. On Telegram, attackers claimed that the package contains 90% of the Bing Maps source code and nearly 45% of the Bing and Cortana assistant code.
As soon as it learned of the problem, the company launched an investigation. The result was released on Tuesday night (22), on the Microsoft Security blog:
This week, the actor [Lapsus$] made public claims that he had gained access to Microsoft and leaked parts of the source code. No customer code or data was involved in the observed activities. Our investigation found that a single account was compromised, granting limited access. Our cybersecurity teams acted quickly to remediate the compromised account and prevent further activity.
The affected account remains under investigation, but the company added that the leaked code did not pose a heightened risk to its operations and that the hackers’ action was mitigated while it was in progress.
Lapsus$ uses social engineering against targets
Microsoft did not reveal what data was leaked, much less describe the extent of the hack it suffered. On the other hand, the publication gives interesting details about how the group has been acting – the company has been studying Lapsus$ shares for a few weeks and, ironically, ended up being one of the victims.
Microsoft analysts basically report that the group’s mode of action does not involve ransomware, as is common in extortion-based intrusions; instead, the group prefers to gain access to legitimate user accounts.
To this end, the group pays employees, vendors or partners of the target organizations to gain access to credentials and two-factor authentication codes, as well as uses social engineering tactics to the same end, Microsoft says.
The company also reports that, in some cases, group members have even called the target organization’s technical support to try to reset login data for a privileged account.
Changing a SIM card (for accessing an account via a cell phone) and accessing employees’ personal email accounts (presumably for searching for passwords or links to reset credentials) are also part of the techniques adopted by the group, according to with Microsoft.
The company also confirmed what was already clear: Lapsus$ started its actions with targets in the United Kingdom and South America. At this point, it is worth remembering that the group became known at the end of 2021 after breaking into the systems of the Ministry of Health in Brazil and leaving the ConectSUS tool inaccessible for about two weeks.
Nvidia, Samsung and Okta were also targeted
The group also leaked data from Nvidia earlier this month, and days later, it did the same to Samsung. Companies like Mercado Livre, Claro and Okta would be among the other targets. The latter even denied having been hacked, which made members of Lapsus$ react with a laugh.
Being targeted by the group did not stop Microsoft from making security recommendations for customers, including avoiding the use of “weak” two-factor authentication mechanisms (such as SMS and email) and promoting improved awareness of attacks. of social engineering.
Finally, Microsoft has committed to continue tracking Lapsus$ activities, tactics and tools (in its report, the company identifies the group as DEV-0537) and to issue alerts if relevant information is discovered.