Microsoft confirmed on Tuesday that the Lapsus$ hacker group had gained “limited access” to the tech giant through a single compromised account while denying any elevated risk of the attack.
In a blog post, Microsoft explained how Lapsus$ attacks targets and acknowledged that the group used these tactics to force their way into the Redmond, Washington-based company.
“No code or customer data was involved in the observed activities,” according to the blog post. “Our investigation revealed that only one account was compromised, granting limited access. Our cybersecurity response teams quickly mobilized to remediate the compromised account and prevent further activity. Microsoft does not rely on the secrecy of the code as a security measure and the visualization of the source code does not lead to an increase in risk.
[RELATED: Microsoft Azure DevOps Targeted By Hacker Group: Reports]
Lapsus$ — or DEV-0537, as Microsoft calls the group — said it violated internal source code repositories for Microsoft Azure DevOps in a post on the Telegram messaging app on Sunday. The repository seems to show access to projects related to Bing and Cortana.
“Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed his intrusion,” according to Microsoft’s post. “This public disclosure has intensified our action, allowing our team to step in and interrupt the actor mid-operation, thus limiting a wider impact.”
The group has been active, previously targeting Okta, Nvidia, Samsung and other big tech companies. As many as 366 Okta customers may have had their data “processed” following the Lapsus$ cyberattack against the identity security giant’s customer support contractor.
Kelly Yeh, president of Phalanx Technology Group, a Microsoft partner based in Chantilly, Va., told CRN in an interview that giant corporations like Microsoft still have their eyes in the back and that, based on the response from Microsoft, the group did not enter extremely sensitive data. Microsoft or customer data.
“Yet it shows that even companies with strong security processes and systems can be compromised, so vigilance and best practices should be used whenever possible,” Yeh said.
David Cox, vice president of G6 Communications, a Microsoft partner based in Fort Wayne, Indiana, told CRN in an interview that managed service providers (MSPs) educate their staff on what to look for and how to respond to customer questions.
“After assessing the potential impact on our customers’ operations, we work with them to develop a plan to address their concerns,” Cox said. “The last thing we do is add it to the long list of events we follow.”
Lapsus$ “is a bit different in that it doesn’t directly impact our customers like the Log4j vulnerability did,” he said.
Information about slip$
Lapsus$ uses a pure extortion and destruction model with no ransomware payloads, according to Microsoft. Its initial targets were the UK and South America, but it has expanded to include government agencies, healthcare organizations and businesses in various industries around the world.
Lapsus$ announces it will buy employee credentials from target organizations, uses subscriber identity module (SIM) swapping to take control of accounts, and interferes in targets’ crisis communications .
The group also called organizations’ help desks to try to reset privileged account credentials using common recovery prompts such as “mother’s maiden name” and even using a native English-speaking caller to speak with the help desk, according to Microsoft.
“Since many organizations outsource their technical support, this tactic attempts to exploit those supply chain relationships, especially when organizations give their support staff the ability to elevate privileges,” according to Microsoft.
Tips from Microsoft
To better defend against Lapsus$, Microsoft recommended that users strengthen multi-factor authentication (MFA), require trusted endpoints, take advantage of modern authentication options for virtual private networks (VPNs) , improve and monitor cloud security postures, and train organizations on social engineering attacks, among others. Shares.
For MFA, users should avoid weak factors like text messaging, secondary email addresses and voice approvals, instead using tools like Fast Identity Online (FIDO) tokens, according to Microsoft.
For cloud security postures, since Lapsus$ uses legitimate credentials for access, security professionals should review Conditional Access session risk and user configurations and review risk detections in Azure Active Directory (AD) Identity Protection, among other actions.
Lapsus$ monitors and interferes with incident response communications, so users should monitor these channels for unauthorized participants and perform visual or audio verification, according to Microsoft.