Microsoft Confirms Lapsus$ Breach
Microsoft has confirmed that it was breached by the Lapsus$ hacking group.
In a blog post on Tuesday — published hours after Lapsus$ posted a torrent file containing partial source code from Bing, Bing Maps, and Cortana — Microsoft revealed that a single employee’s account was compromised by the hacking group, granting the attackers “limited access” to Microsoft’s systems and allowing the theft of the company’s source code.
Microsoft added that no customer code or data was compromised.
Microsoft hasn’t shared any further details about how the account was compromised but provided an overview of the Lapsus$ group’s tactics, techniques, and procedures, which the company’s Threat Intelligence Center, known as MSTIC, has observed across multiple attacks. Initially, these attacks targeted organizations in South America and the U.K., though Lapsus$ has since expanded to global targets, including governments and companies in the technology, telecom, media, retail, and healthcare sectors.
The group uses a number of methods to gain initial access to an organization, which typically focus on compromising user identities and accounts. As well as the recruitment of employees at targeted organizations, these include purchasing credentials from dark web forums, searching public repositories for exposed credentials, and deploying the Redline password stealer.
U.S. Government Warns Companies of Potential Russian Cyber Attacks
Lapsus$ then uses compromised credentials to access a company’s internet-facing devices and systems, such as virtual private networks, remote desktop infrastructure, or identity management services, such as Okta, which the hacking group successfully breached in January. Microsoft says that in at least one compromise, Lapsus$ performed a SIM swap attack to gain control of an employee’s phone number and text messages to gain access to multi-factor authentication (MFA) codes needed to log in to an organization.
After gaining access to the network, Lapsus then uses publicly available tools to explore an organization’s user accounts to find employees that have higher privileges or broader access and then targets development and collaboration platforms, such as Jira, Slack, and Microsoft Teams, where further credentials are stolen. The hacking group also uses these credentials to gain access to source code repositories on GitLab, GitHub, and Azure DevOps, as it did with the attack on Microsoft.
Microsoft Confirms Lapsus$ Breach
