In an extensive statement posted on its security website, Microsoft acknowledged being a victim of the Lapsus$ Group. After breaking into an Azure DevOps server, hackers in the group extracted and leaked source code for services such as Bing and Cortana. The company claims, however, that the action was mitigated and that customer data was not compromised.
- Microsoft blocks DDoS attack with record traffic of 3.47 Tb/s against the target
- How to secure Windows 10: Tips to make your system more secure
This is not the first time Microsoft has dealt with a security breach on its systems. But this is probably one of the most serious incidents the company has ever faced. Earlier this week, Lapsus$ shared a file that, when unzipped, corresponds to a volume with 37 GB of data.
As it became clear, the package mainly includes source code. On Telegram, attackers claimed that the package contains 90% of the source code for Bing Maps and almost 45% of the code for Bing and the Cortana assistant.
As soon as the company learned of the problem, it launched an investigation. . The result was announced on Tuesday night (22), on blog from Microsoft Security:
This week, actor [Lapsus$] made public allegations that he had gained access to Microsoft and leaked parts of source code. No customer code or data was involved in the observed activities. Our investigation found that a single account was compromised, granting limited access. Our cybersecurity teams acted quickly to remediate the compromised account and prevent further activity.
The affected account remains under investigation, but the company said the leaked code did not pose an increased risk to your operations and that the hacking action was mitigated while it was in progress.
Lapsus$ uses engineering against targets
Microsoft did not reveal what data was leaked, much less describe the extent of the hack it suffered. On the other hand, the publication gives interesting details about how the group has been operating — the company has been studying Lapsus$ stocks for a few weeks and, ironically, ended up being one of the victims.
Microsoft analysts report , basically, that the group's mode of action does not involve ransomware, as is common in extortion-based intrusions; instead, the group prefers to gain access to legitimate user accounts.
To do so, the group pays employees, vendors, or partners of the target organizations to gain access to credentials and two-factor authentication codes. , as well as using social engineering tactics to the same end, Microsoft says.
The company also reports that, in some cases, group members have even called the target organization's technical support to try to reset the login details of a privileged account.
SIM card exchange (for accessing an account via a cell phone) and accessing employees' personal email accounts (presumably for searching for passwords or links for resetting credentials) are also part of the techniques adopted by the group, according to Microsoft.
The company also confirmed what was already clear: Lapsus$ started its actions with targets in the United Kingdom and in South America. At this point, it is worth remembering that the group became known at the end of 2021 afterhack into the systems of the Ministry of Health in Brazil and make the ConectSUS tool inaccessible for about two weeks.
Nvidia, Samsung and Okta were also targeted
The group also leaked data from Nvidia earlier this month and, days later, did the same to Samsung. Companies like Mercado Livre, Claro and Okta would be among the other targets. The latter even denied having been hacked, which made members of Lapsus$ react with a laugh.
Being targeted by the group did not stop Microsoft from making security recommendations for customers, including avoiding the use of “weak” two-factor authentication mechanisms (such as SMS and email) and improving awareness of social engineering attacks.
Finally, Microsoft has committed to continue tracking Lapsus$ activities, tactics and tools (in its report, the company identifies the group as DEV-0537) and to issue alerts if relevant information is discovered.