Microsoft Investigating Claim of Breach by LAPSUS$ (update: confirmation from MS)

[Gandalf_The_Grey]

Content source

https://www.vice.com/en/article/y3vk9x/microsoft-hacked-lapsus-extortion-investigating

The LAPSUS$ group has previously compromised Nvidia and Samsung. Over the weekend the group published a screenshot that appeared to show access to internal Microsoft systems.

Microsoft is investigating claims that an extortion-focused hacking group that has previously compromised massive companies such as Ubisoft and Nvidia has gained access to internal Microsoft systems, according to a statement from the company.

The hacking group, which goes by the self-designated name LAPSUS$, has successfully breached a wave of corporations recently. LAPSUS$ sometimes makes unusual ransom demands of its victims, including asking Nvidia to unlock aspects of its graphics cards to make them more suitable for mining cryptocurrency. The group has so far not made any public demands against Microsoft.

On Sunday, LAPSUS$ posted a screenshot of what appeared to be an internal Microsoft developer account to their Telegram channel. The screenshot appeared to be from an Azure DevOps account, a product that Microsoft offers that allows developers to collaborate on projects. Specific projects shown in the screenshot include “Bing_UX,” potentially referring to the user experience of Microsoft’s Bing search engine; “Bing-Source,” indicating access to the source code of the search engine; and “Cortana,” Microsoft’s smart assistant. Other sections include “mscomdev,” “microsoft,” and “msblox,” indicating whoever took the screenshot may have access to other code repositories as well.

Shortly after posting the screenshot, an administrator of LAPSUS$’s Telegram channel deleted the image.

“Deleted for now will repost later,” they wrote.

On Sunday, a Microsoft spokesperson told Motherboard in an email that “We are aware of the claims and are investigating.”

 

[Gandalf_The_Grey]

Monday night, the hacking group posted a torrent for a 9 GB 7zip archive containing the source code of over 250 projects that they say belong to Microsoft.

When posting the torrent, Lapsus$ said it contained 90% of the source code for Bing and approximately 45% of the code for Bing Maps and Cortana.

Even though they say only some of the source code was leaked, BleepingComputer is told that the uncompressed archive contains approximately 37GB of source code allegedly belonging to Microsoft.

Security researchers who have pored over the leaked files told BleepingComputer that they appear to be legitimate internal source code from Microsoft.

Furthermore, we are told that some of the leaked projects contain emails and documentation that were clearly used internally by Microsoft engineers to publish mobile apps.

The projects appear to be for web-based infrastructure, websites, or mobile apps, with no source code for Microsoft desktop software released, including Windows, Windows Server, and Microsoft Office.

When we contacted Microsoft about tonight's source code leak, they continued to tell BleepingComputer that they are aware of the claims and are investigating.

Lapsus$ hackers leak 37GB of Microsoft's alleged source code

The Lapsus$ hacking group claims to have leaked the source code for Bing, Cortana, and other projects stolen from Microsoft's internal Azure DevOps server.

www.bleepingcomputer.com

 

[Gandalf_The_Grey]

Microsoft confirms they were hacked by Lapsus$ extortion group

Microsoft has confirmed that one of their employees was compromised by the Lapsus$ hacking group, allowing the threat actors to access and steal portions of their source code.

In a new blog post published tonight, Microsoft has confirmed that one of their employee's accounts was compromised by Lapsus$, providing limited access to source code repositories.

"No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity," explained Microsoft in an advisory about the Lapsus$ threat actors.

"Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk. The tactics DEV-0537 used in this intrusion reflect the tactics and techniques discussed in this blog."

"Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact."

While Microsoft has not shared how the account was compromised, they provided a general overview of the Lapsus gang's tactics, techniques, and procedures (TTPs) observed across multiple attacks.

Microsoft is tracking the Lapsus$ data extortion group as 'DEV-0537' and says they primarily focus on obtaining compromised credentials for initial access to corporate networks.

These credentials are obtained using the following methods:

• Deploying the malicious Redline password stealer to obtain passwords and session tokens
• Purchasing credentials and session tokens on criminal underground forums
• Paying employees at targeted organizations (or suppliers/business partners) for access to credentials and multi-factor authentication (MFA) approval
• Searching public code repositories for exposed credentials

Microsoft recommends that corporate entities perform the following steps to protect against threat actors like Lapsus$:

• Strengthen MFA implementation
• Require Healthy and Trusted Endpoints
• Leverage modern authentication options for VPNs
• Strengthen and monitor your cloud security posture
• Improve awareness of social engineering attacks
• Establish operational security processes in response to DEV-0537 intrusions

Lapsus$ has recently conducted numerous attacks against the enterprise, including those against NVIDIA, Samsung, Vodafone, Ubisoft, Mercado Libre, and now Microsoft.

Therefore, it is strongly advised that security and network admins become familiar with the tactics used by this group by reading Microsoft's report.

Microsoft confirms they were hacked by Lapsus$ extortion group

Microsoft has confirmed that one of their employees was compromised by the Lapsus$ hacking group, allowing the threat actors to access and steal portions of their source code.

www.bleepingcomputer.com

DEV-0537 criminal actor targeting organizations for data exfiltration and destruction | Microsoft Security Blog

The activity we have observed has been attributed to a threat group that Microsoft tracks as DEV-0537, also known as LAPSUS$. DEV-0537 is known for using a pure extortion and destruction model without deploying ransomware payloads.

www.microsoft.com

 

[Tutman]

The Microsoft source code breach may be much bigger than we thought

37GB of Microsoft's internal source code has been leaked online by the Lapsus$ group

www.techradar.com

 

[plat]

A Closer Look at the LAPSUS$ Data Extortion Group – Krebs on Security

Source: