Microsoft has confirmed that hacking group Lapsus$ successfully compromised an employee’s user account and stole code, days after the group boasted that it had infiltrated the software giant. No customer data or code was affected, Microsoft says, and the operation was interrupted by its security team. The company made the admission in a blog post describing Lapsus$’s tactics, and offering guidance on how to protect against them.
Microsoft Lapsus$ breach: ‘No customer code or data was involved’
Microsoft says its cybersecurity team was already investigating the intrusion when, on Sunday, Lapsus$ boasted it had compromised an employee account and stolen source code from the company. “This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact,” the company wrote in its blog post. “Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity.”
“No customer code or data was involved in the observed activities,” it added. “Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.”
The confirmation adds another notch to the list of Big Tech targets Lapsus$ has successfully breached. Having started out targeting Brazilian institutions in 2020, Lapsus$ came to global notoriety earlier this month when it attacked chipmaker NVIDIA and electronics manufacturer Samsung. Earlier this week, it claimed single-sign-on provider Okta as its latest victim. The company said yesterday that an account had been compromised in January; it later confirmed that some customers’ data may have been accessed.
In its blog post yesterday, Microsoft described Laspsus$ as a "cybercriminal actor motivated by theft and destruction" that is "known for using a pure extortion and destruction model without deploying ransomware payloads". Lapsus$ is unusually eager to attract public attention to its activities, it said, and uses a number of techniques that are unusual among the groups that it tracks.
How does Lapsus$ hack its victims?
Lapsus$ modus operandi is to use social engineering techniques on its target's employees to access employee user accounts, Microsoft explained. It exploits these accounts' privileged access to "enable data theft and destructive attacks against a targeted organisation, often resulting in extortion".
Lapsus$ uses a number of techniques to gain initial access to its targets' system. These include paying employees to share credentials, buying on the dark web marketplaces, and searching code repositories that may contain log-in credentials.
In order to recruit employees, Lapsus$ advertised that they wanted to buy credentials for their targets to entice employees or contractors to take part in its operation. For a fee, the willing accomplice must provide their credentials and approve the MFA prompt or have the user install AnyDesk or other remote management software on a corporate workstation allowing the actor to take control of an authenticated system. In posts on its Telegram channel, Lapsus$ has called for workers at telecommunications providers, software companies, including Microsoft, hosting providers and outsourcers.
Once the group had acquired log-ins, it typically uses them to access web-facing systems such as VPNs, remote desktop infrastructure including Citrix, or identity services including Azure Active Directory or Okta. In some cases, Lapsus$ was able to skirt its victim's multi-factor authentication (MFA) protections by either resending previous legitimate prompts (a session token replay attack) or using stolen passwords, in the hope that the user approves the access request.
Once inside an organisation, the group examines code repositories and collaboration tools to find and compromise accounts with the greatest access privileges. "In some cases, [Lapsus$] even called the organisation’s help desk and attempted to convince the support personnel to reset a privileged account’s credentials," the Microsoft blog stated.
Sensitive code or data is downloaded using virtual private servers "for future extortion or public release," Microsoft said. "After exfiltration, [Lapsus$] often deletes the target’s systems and resources. We’ve observed deletion of resources both on-premises (for example, VMWare vSphere/ESX) and in the cloud to trigger the organisation’s incident and crisis response process."
Microsoft said that Lapsus$ initially used this technique to target crypto exchanges, before moving onto Brazilian government bodies and now technology providers. "[T]his group understands the interconnected nature of identities and trust relationships in modern technology ecosystems and targets telecommunications, technology, IT services and support companies – to leverage their access from one organisation to access the partner or supplier organisations," it said.
How should companies protect themselves against Lapsus$?
In order to defend against Lapsus$'s tactics, Microsoft recommends that organisations bolster their MFA protections by applying it to all users, but to avoid the use of text messages to approve access, as they can be easily spoofed. Organisations should limit network access to trusted devices, and implement up-to-date authentication measures for web-facing systems that take a risk-based approach to authentication.
Microsoft also advises that companies tighten their access policies for cloud-based systems, blocking all 'high risk' log-in attempts from typical users and all 'medium risk' attempts from privileged users.
Employees, especially IT helpdesk staff, should be trained to be aware of the latest social engineering attacks, Microsoft said. And communications among cybersecurity incident response staff should be tightly controlled and monitored, as Lapsus$ has been known to "monitor and intrude" on these operations.
Okta Lapsus$ update: some customers' data may have been affected
After Lapsus$ claimed to have breached Okta this week, the company's CEO said that there had been 'no evidence' of malicious activity. However, in a blog post yesterday, the company's chief security officer David Bradbury said: "We have concluded that a small percentage of customers – approximately 2.5% – have potentially been impacted and whose data may have been viewed or acted upon."
Okta revealed that the account of a third-party customer support engineer had been compromised and that an attacker had access to their laptop for five days in January. "The potential impact to Okta customers is limited to the access that supports engineers have," the company said. "These engineers are unable to create or delete users, or download customer databases. Support engineers do have access to limited data - for example, Jira tickets and lists of users - that were seen in the screenshots."