Microsoft on Tuesday confirmed that the hacking group LAPSUS$ had gained “limited access” to a single account, but the attempt was interrupted by its security teams.
For those unaware, earlier, on Sunday morning, the LAPSUS$ gang had posted a file holding nearly 37GB of data stolen from Microsoft’s Azure DevOps Server and claimed that it contained partial source code for Bing, Cortana, and other projects.
“No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity,” explained Microsoft in a blog post.
“Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity. Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.”
Microsoft’s Threat Intelligence Center (MSTIC) said its investigators have for weeks been tracking a threat group, which it calls DEV-0537, also known as LAPSUS$. This is the same hacker group, which has over the past few weeks publicly dumped internal data of companies such as Nvidia, Samsung, Vodafone, Ubisoft, and Okta.
DEV-0537 is known for using a pure extortion and destruction model without deploying ransomware payloads. It started targeting organizations in the United Kingdom and South America but has expanded to global targets, including organizations in government, technology, telecom, media, retail, and healthcare sectors. The hacking group is also known for hijacking individual user accounts at cryptocurrency exchanges to drain cryptocurrency holdings.
“Unlike most activity groups that stay under the radar, DEV-0537 doesn’t seem to cover its tracks. They go as far as announcing their attacks on social media or advertising their intent to buy credentials from employees of target organisations,” the company said.
According to Microsoft, the group’s other tactics include phone-based social engineering schemes such as SIM-swapping to facilitate account takeover, accessing personal email accounts of employees at target organizations, paying employees and vendors of target organizations for access to credentials and multifactor authentication (MFA) approval, and intruding in the ongoing crisis-communication calls of their targets.
“Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact,” Microsoft added.
You can find out more about the tactics and techniques used in this intrusion in the detailed blog here. To avoid such incidents, Microsoft is recommending organizations to strengthen their MFA mechanisms, leverage modern authentication options for VPNs such as OAuth or SAML, improve awareness of social engineering attacks, and strengthen and monitor the cloud security posture of intrusion in security operations from LAPSUS$.