Microsoft has confirmed a security incident that hit the internet last weekend, when the hacker group calling itself LAPSUS$ claimed that had stolen 37 Gbytes of data from an Azure DevOps server, which contained source code for several internal Microsoft projects, including the Bing search engine, the Cortana assistant, and the Bing Maps mapping service.
The Microsoft hack occurred when the group Lapsus$ compromised the account of one of your employeeswhich gave it limited access to source code repositories. “No client code or data was involved in the observed activities. Our investigation found that a single account was compromised, granting limited access. Our cybersecurity response teams locked down the compromised account to prevent further activity.”explains Microsoft in an article on its security blog.
The software giant clarifies that the leak of the source code does not increase the risk in cybersecurity and in fact a part of that code is publicly available on GitHub. He also explains that his security team was already investigating LAPSUS$ after the group violate the security of other large companies such as NVIDIA, Samsung or Vodafone. “This allowed our team to step in and disrupt the attack in the middle of the operation, limiting a broader impact”they assure.
How did the Microsoft hack happen?
Microsoft has not specified exactly how the cited employee account was compromised, but has provided an overview of the tactics, techniques and procedures used by LAPSUS$a group of cybercriminals that the company investigates under the name ‘DEV-0537’.
As in the data theft from NVIDIA, the group focuses its efforts on obtain credentials for initial access to corporate networks. A company can have the best IT security on the planet, but if the human factor fails and attackers get hold of some high-level employee’s authentication data, security is over. These credentials are obtained using the following methods:
- Implementation of specialized malware ‘Redline’ to obtain passwords and session tokens.
- Purchase of credentials and session tokens in clandestine forums.
- Payment to employees of specific organizations (or vendors/business partners) for credential access and corresponding multi-factor authentication (MFA) approval.
- Search for exposed credentials in public code repositories.
The way to operate is known. Malware is introduced red line via phishing emails, warez sites, and YouTube videos to steal credentials. Once Laspsus$ gains access to the compromised credentials, they use them to log in to a company’s public devices and systems, including VPNs, virtual desktop infrastructure, or identity management services, as happened with the company Okta. , which they raped in January.
Microsoft says they use session replay attacks for accounts that use MFA or continually trigger MFA notifications until the user tires of them and confirms that they should be allowed to sign in. Lapsus also performed a SIM swapping attack to gain control of the user’s phone numbers and text messages, with the goal of obtaining the multi-factor codes needed to log into the account.
Lapsus$, a dangerous group
The hacking of Microsoft is the latest known of a group that in a few months has been able to violate the security of the servers of NVIDIA, Samsung, Ubisoft, Vodafone, Okta or Mercado Libre. In the same Microsoft incident announcement, the group has launched a text file containing details of the LG employee registration and service accountsincluding hashed passwords and usernames.
In the last days, the group has posted a torrent link containing Microsoft’s source code for Cortana, Bing, and Bing Maps, among others. The leak contains data from 258 projects and is 37 Gbytes in size.
Security researchers who have analyzed it confirm that it comes from Microsoft. In addition, the file also contains emails, certificates and details about private and public keys. It is not confirmed that this latest information is recent or is the result of data theft from previous attacks such as the SolarWinds attack that also affected Microsoft.
On its security blog, Microsoft outlines a series of steps that other organizations can follow to improve their securityincluding a strong multi-factor authentication system avoiding those who use text messages or secondary emails (which we know are insecure), educating team members against social engineering attacks and creating a rapid response strategy against attacks of Lapsus$, which they themselves say will continue.