Technology giant Microsoft confirmed that it was hacked by a group called DEV-0537, also known as Lapsus$. The company made this statement in a blog post on Tuesday this week.
The group had earlier claimed to have hacked Microsoft and posted a file it claimed contains partial source code for Bing and Cortana in an archive holding nearly 37GB of data. This was the same group that hacked Samsung a couple of days ago, stealing the Samsung Galaxy source code.
According to Microsoft in the blog post,
In recent weeks, Microsoft Security teams have been actively tracking a large-scale social engineering and extortion campaign against multiple organizations with some seeing evidence of destructive elements. As this campaign has accelerated, our teams have been focused on detection, customer notifications, threat intelligence briefings, and sharing with our industry collaboration partners to understand the actor’s tactics and targets. Over time, we have improved our ability to track this actor and helped customers minimize the impact of active intrusions and in some cases worked with impacted organizations to stop attacks prior to data theft or destructive actions. Microsoft is committed to providing visibility into the malicious activity we’ve observed and sharing insights and knowledge of actor tactics that might be useful for other organizations to protect themselves. While our investigation into the most recent attacks is still in progress, we will continue to update this blog when we have more to share.
The activity we have observed has been attributed to a threat group that Microsoft tracks as DEV-0537, also known as LAPSUS$. DEV-0537 is known for using a pure extortion and destruction model without deploying ransomware payloads. DEV-0537 started targeting organizations in the United Kingdom and South America but expanded to global targets, including organizations in government, technology, telecom, media, retail, and healthcare sectors. DEV-0537 is also known to take over individual user accounts at cryptocurrency exchanges to drain cryptocurrency holdings.
Microsoft Threat Intelligence Center (MSTIC) assesses that the objective of DEV-0537 is to gain elevated access through stolen credentials that enable data theft and destructive attacks against a targeted organization, often resulting in extortion. Tactics and objectives indicate this is a cybercriminal actor motivated by theft and destruction.
Microsoft confirmed that one of its employee’s accounts was compromised by Lapsus$, providing limited access to source code repositories.
“No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity,” explained Microsoft
Recommendations
Microsoft recommends that users should do the following:
- Strengthen their Multifactor authentication (MFA).
- Require healthy and trusted endpoints
- Leverage modern authentication options for VPNs
- Strengthen and monitor your cloud security posture
- Improve awareness of social engineering attacks, and
- Establish operational security processes in response to DEV-0537 intrusions
1 Comment
Pingback: Teenager in UK suspected of being the mastermind behind the Lapsus$ hacking group - Innovation Village | Technology, Product Reviews, Business