It’s official, Lapsus$ gang compromised a Microsoft employee’s account

Microsoft confirmed that Lapsus$ extortion group has hacked one of its employees to access and steal the source code of some projects.

Microsoft confirmed that Lapsus$ extortion group has hacked one of its employees to access and steal the source code of some projects.

Yesterday the cybercrime gang leaked 37GB of source code stolen from Microsoft’s Azure DevOps server.

On Sunday, the Lapsus$ gang announced to have compromised Microsoft’s Azure DevOps server and shared a screenshot of alleged internal source code repositories.

The gang claims to have leaked the source code for some Microsoft projects, including Bing and Cortana.

On March 22, 2022 night the group shared a torrent for a 7zip archive containing 9 GB of Microsoft source code. The uncompressed archive contains 37GB of source code allegedly belonging to hundreds of Microsoft projects, including for Bing, Cortana, and Bing Maps.

Microsoft has now confirmed that the attackers have compromised the account of one of its employees gaining limited access to source code repositories. The company pointed out that customer code or data was not compromised as a result of unauthorized access.

“This week, the actor made public claims that they had gained access to Microsoft and exfiltrated portions of source code. No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity.” reads the post published by Microsoft. “Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.”

Microsoft team launched an investigation immediately after the Lapsus$ gang, tracked by the company as DEV-0537, claimed to have hacked the company.

Microsoft’s post detailed the Lapsus gang’s tactics, techniques, and procedures (TTPs), below are some of the methods that they used to compromise user identities to gain initial access to an organization:

• Deploying the malicious Redline password stealer to obtain passwords and session tokens
• Purchasing credentials and session tokens from criminal underground forums
• Paying employees at targeted organizations (or suppliers/business partners) for access to credentials and MFA approval
• Searching public code repositories for exposed credentials

The threat actors used the compromised credentials and/or session tokens to access the target networks through internet-facing systems and applications (i.e. virtual private network (VPN), remote desktop protocol (RDP), virtual desktop infrastructure (VDI) including Citrix, or Identity providers (including Azure Active Directory, Okta)).

The gang also uses session replay attacks to compromise the accounts that are protected with MFA, in some cases, they also continuously trigger MFA notifications until the user allowed them to log in. In at least one attack, the group also used a SIM swap attack to bypass 2FA.

“Once DEV-0537 obtained access to the target network using the compromised account, they used multiple tactics to discover additional credentials or intrusion points to extend their access including:

• Exploiting unpatched vulnerabilities on internally accessible servers including JIRA, Gitlab, and Confluence
• Searching code repositories and collaboration platforms for exposed credentials and secrets.

They have been consistently observed to use AD Explorer, a publicly available tool, to enumerate all users and groups in the said network.” continues the analysis.

Lapsus$ gang set up a dedicated infrastructure in known virtual private server (VPS) providers and leverages NordVPN for data exfiltration using VPN egress points that were geographically like their targets to avoid detection. Data stolen from the targeted organization were also used for future extortion or public release.

Microsoft provides the following recommendations to protect against threat actors:

• Strengthen MFA implementation
• Require Healthy and Trusted Endpoints
• Leverage modern authentication options for VPNs
• Strengthen and monitor your cloud security posture
• Improve awareness of social engineering attacks
• Establish operational security processes in response to DEV-0537 intrusions

Over the last months, the Lapsus$ gang compromised other prominent companies such as NVIDIA, Samsung, Ubisoft, Mercado Libre, and Vodafone.

On Thursday, March 10, the group announced they’re starting to recruit insiders employed within major technology giants and ISPs, such companies include Microsoft, Apple, EA Games and IBM. Their scope of interests includes – major telecommunications companies such as Claro, Telefonica and AT&T.

Notably, the actors are looking to buy remote VPN access and asking potential insiders to contact them privately via Telegram, they then reward them by paying for the access granted.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft)

[adrotate banner=”5″]

[adrotate banner=”13″]