Microsoft announces that it has been hacked by the hacking group Lapsus$. Also discloses means of attack and how to deal with it.

news

Microsoft announced that it has confirmed that one of its employees was infiltrated by the hacking group Lapsus$, which accessed and stole some of the company’s source code.

https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/

The Lapsus$ group has released 37 GB of source code stolen from Microsoft’s Azure DevOps server. This source code involves various projects within Microsoft, including Bing, Cortana, and Bing Maps.

In a blog post, Microsoft announced that it has confirmed that the account of one of its employees was compromised by Lapsus$, giving him limited access to its source code repository.

It appears that Lapsus$ had limited access to the source code repository. Our investigation revealed that one account was compromised and granted limited access. Our cybersecurity response team worked quickly to remediate the compromised account and prevent further activity

Microsoft does not rely on code confidentiality as a security measure and viewing source code does not pose an increased risk. No. The tactics used by DEV-0537 in this intrusion mirror the tactics and techniques discussed in this blog.

Our team was already investigating the compromised accounts based on threat intelligence. This disclosure allowed our team to intervene and disrupt the attacker mid-operation, limiting the larger impact.

Microsoft does not reveal how this account was compromised, but provides a general overview of the Lapsus$ group’s tactics, techniques, and procedures (TTPs) observed in multiple attacks.

Note the compromised credential

Microsoft is tracking the Lapsus$ group as “DEV-0537” and says they are primarily focused on obtaining compromised credentials for initial access to corporate networks.

These credentials appear to have been obtained by

  • Introduce malicious Redline password stealer to obtain passwords and session tokens
  • Purchase credentials and session tokens on criminal underground forums
  • Employees of target organization ( or suppliers/business partners to pay money and authorize access to credentials and multi-factor authentication (MFA).
  • Search public code repositories for publicly available authentication information

Redline password stealer is a malware chosen to steal credentials and is commonly distributed through phishing emails, watering hole attacks, warez sites, and YouTube videos.

Laspsus$ uses the credentials it obtains to log in to public-facing corporate devices and systems, such as VPNs, virtual desktop infrastructures, or identity management services such as Okta, which broke in January.

According to Microsoft, they will continuously generate MFA notifications for accounts that use MFA until they either perform a session replay attack or confirm that the user is tired of it and allows login.

Microsoft says that in at least one of the attacks, Lapsus$ performed a SIM swap attack, gaining control of the user’s phone number and SMS text to gain access to the MFA code needed to log into the account.

After gaining access to the network, the threat actors use AD Explorer to find accounts with higher privileges and target development and collaboration platforms such as SharePoint, Confluence, JIRA, Slack, and Microsoft Teams. Steal other credentials.

Hacking groups can also use these credentials to access source code repositories on GitLab, GitHub, and Azure DevOps, as seen in the attack on Microsoft.

DEV-0537 is also known to exploit vulnerabilities in Confluence, JIRA and GitLab to elevate privileges

The group is running these applications Compromise the server and obtain the credentials of a privileged account or run in the context of said account and dump the credentials from there.

The threat actors then harvest valuable data and leak it over a NordVPN connection, hiding their whereabouts while launching a destructive attack on the victim’s infrastructure and triggering the means to cause the incident.

Threat actors then monitor these through the victim’s Slack and Microsoft Teams channels.

How to protect against Lapsus$?

Microsoft recommends the following measures for companies to protect themselves against threats like Lapsus$.

  • Strengthen MFA implementation
  • Need for sound and trusted endpoints
  • Leverage modern authentication options for VPNs
  • Strengthen and monitor cloud security posture
  • Raise awareness of social engineering attacks
  • Establish operational security processes in response to DEV-0537 intrusion

Lapsus$ has recently launched a number of attacks against businesses, including attacks against NVIDIA, Samsung, Vodafone, Ubisoft, Mercado Libre, and now Microsoft.

It is therefore highly recommended that you read the Microsoft report and become familiar with the tactics used by this group.

Comments

タイトルとURLをコピーしました