Microsoft has admitted that the Lapsus$ hacking organization gained access to and stole chunks of their source code by exploiting one of its workers.
The Lapsus$ group leaked 37GB of stolen source code from Microsoft’s Azure DevOps server last night. The source code belongs to a number of Microsoft internal projects, including Bing, Cortana, and Bing Maps.
Microsoft has verified that one of its employees’ accounts was hijacked by Lapsus$, giving them restricted access to source code repositories, according to a new blog post released tonight.
“The observed operations did not include any customer code or data. A single account had been hacked, giving restricted access, according to our research. Our cybersecurity response teams acted promptly to restore the account’s security and prevent additional activities “Microsoft detailed the Lapsus$ threat actors in a security bulletin.
“Microsoft does not consider code secrecy to be a security precaution, and examining source code does not result in an increase in risk. The DEV-0537 strategies utilized in this intrusion are similar to those mentioned in this blog.”
“When the perpetrator publicly publicized their penetration, our team was already examining the compromised account based on threat intelligence. Our team was able to intervene and disrupt the actor mid-operation as a result of the public revelation, minimizing the larger harm.”
While Microsoft has not revealed how the account was hacked, the company has provided a general overview of the Lapsus gang’s tactics, techniques, and procedures (TTPs) as seen in multiple attacks.
Concentrating on credentials that have been compromised
The Lapsus$ data extortion organization is being tracked by Microsoft as ‘DEV-0537,’ and according to Microsoft, they primarily focus on getting compromised credentials for first access to corporate networks.
The following procedures are used to get these credentials:
- To get passwords and session tokens, the malicious Redline password stealer was used.
- Buying session tokens and credentials on criminal underground forums
- Employees at targeted organizations (or suppliers/business partners) are paid in exchange for access to credentials and MFA clearance.
- Looking for exposed credentials in public code repositories
The Redline password stealer has become the go-to virus for collecting credentials, and it’s spread via phishing emails, watering holes, warez sites, and YouTube movies.
Laspsus$ uses compromised credentials to log in to a company’s public-facing devices and systems, such as VPNs, Virtual Desktop Infrastructure, and identity management services like Okta, which they broke in January.
Microsoft claims that for accounts that employ MFA, they use session replay attacks or constantly trigger MFA notifications until the user gets bored of them and verifies that they should be permitted to log in.
According to Microsoft, Lapsus$ used a SIM swap attack to get control of the user’s phone numbers and SMS texts, allowing them to access MFA codes required to log in to an account.
Once within a network, threat actors utilize AD Explorer to look for accounts with greater privileges before moving on to development and collaboration platforms like SharePoint, Confluence, JIRA, Slack, and Microsoft Teams, where they steal more credentials.
As we witnessed with the Microsoft assault, the hacker organization also utilizes these credentials to obtain access to source code repositories on GitLab, GitHub, and Azure DevOps.
According to Microsoft, “DEV-0537 is also known to attack vulnerabilities in Confluence, JIRA, and GitLab for privilege escalation.”
“The organization infiltrated the servers that ran these apps in order to get privileged account credentials or to execute in the context of that account and dump credentials from there.”
The threat actors will then collect important data and exfiltrate it over NordVPN connections to conceal their identities while launching damaging assaults on the victims’ infrastructure to trigger incident response processes.
These procedures are then monitored by the threat actors via the victim’s Slack or Microsoft Teams channels.
Protecting against Lapsus$ Microsoft advises business organizations to take the following precautions to protect themselves against threat actors such as Lapsus$:
- Improve the MFA’s implementation
- Endpoints must be healthy and reliable.
- Utilize contemporary VPN authentication mechanisms.
- Boost your cloud security and keep an eye on it.
- Increase your understanding of social engineering attacks.
- In reaction to DEV-0537 incursions, establish operational security processes.
Lapsus$ has lately carried out a number of assaults against businesses, including attacks on NVIDIA, Samsung, Vodafone, Ubisoft, Mercado Libre, and now Microsoft.
As a result, security and network administrators should study Microsoft’s research to become familiar with the strategies utilized by this organization.
