For the past few weeks, hacking collective LAPSUS$ (Lapsus) has been publicly dumping internal data belonging to various companies including Samsung, Nvidia, Vodafone, Ubisoft, Okta, and most recently, Microsoft. A few hours ago, it leaked source code for multiple Microsoft projects including Cortana, Bing, and Bing Maps. Now, the Redmond tech giant has acknowledged the hack and shared some more details about the threat actor too.
Microsoft says that Lapsus group has expanded its scope in recent times to target a large number of corporate and individual entities all across the globe. It typically utilizes phone-based social engineering, SIM-swapping, and bribing employees to gain access to multi-factor authentication (MFA) systems and internal systems. Other methods also include deploying password stealers, analyzing public code repositories to spot rogue credentials, and purchasing credentials from criminal forums. The purpose of its attempts to compromise is usually theft and destruction.
Once it has successfully gained initial access, Lapsus group uses AD Explorer to enumerate a list of the target organization's users and then navigates collaboration platforms like Slack, SharePoint, Teams, GitLab, Jira, and Confluence to perform reconnaissance and find sensitive information. It also utilizes platform-level vulnerabilities to run privilege escalation routines. In fact, Microsoft says that in some cases, Lapsus even called a company's help desk to reset the password of a privileged user. Although Microsoft hasn't confirmed if this attempt was successful, it has noted that the Lapsus actor had a native English accent and could answer recovery prompts about the compromised individual's mother's maiden name and the first street they lived on.
Regarding the attack on its own infrastructure, Microsoft has confirmed the cybersecurity incident but emphasized that no customer data was stolen. A statement from the company reads:
Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity. Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk. The tactics DEV-0537 (LAPSUS$) used in this intrusion reflect the tactics and techniques discussed in this blog. Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.
You can find a lot more details in Microsoft's lengthy blog post here, but overall, the firm has suggested that companies should strengthen their MFA mechanisms, use trusted endpoints and modern authentication options for VPNs, improve awareness about social engineering attacks, and monitor their cybersecurity posture and signs of intrusion in security operations from Lapsus.