Lapsus$ gang claims to have hacked Microsoft source code repositories

By Adelmio Genovese

Microsoft confirms Lapsus$ breach after hackers publish Bing, Cortana source code – TechCrunch

Microsoft has confirmed that it was breached by the Lapsus$ hacking group.


In a blog post on Tuesday — published hours after Lapsus$ posted a torrent file containing partial source code from Bing, Bing Maps and Cortana — Microsoft revealed that a single employee’s account was compromised by the hacking group, granting the attackers “limited access” to Microsoft’s systems and allowing the theft of the company’s source code.

Microsoft added that no customer code or data was compromised.

“Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity,” Microsoft said. “Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk. Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.”

Microsoft hasn’t shared any further details about how the account was compromised but provided an overview of the Lapsus$ group’s tactics, techniques and procedures, which the company’s Threat Intelligence Center , known as MSTIC, has observed across multiple attacks. Initially, these attacks targeted organizations in South America and the U.K., though Lapsus$ has since expanded to global targets, including governments and companies in the technology, telecom, media, retail and healthcare sectors.

The group, which the technology giant is tracking as DEV-0537, operates with a “pure extortion and destruction model” and, unlike other hacking groups, “doesn’t seem to cover its tracks,” according to Microsoft, likely a nod to the group’s public recruitment of company insiders to help it carry out their targeted attacks. The group uses a number of methods to gain initial access to an organization, which typically focus on compromising user identities and accounts. As well as the recruitment of employees at targeted organizations, these include purchasing credentials from dark web forums, searching public repositories for exposed credentials and deploying the Redline password stealer.

Lapsus$ then uses compromised credentials to access a company’s internet-facing devices and systems, such as virtual private networks, remote desktop infrastructure, or identity management services, such as Okta, which the hacking group successfully breached in January. Microsoft says that in at least one compromise, Lapsus$ performed a SIM swap attack to gain control of an employee’s phone number and text messages to gain access to multi-factor authentication (MFA) codes needed to log in to an organization.

After gaining access to the network, Lapsus then uses publicly available tools to explore an organization’s user accounts to find employees that have higher privileges or broader access, and then targets development and collaboration platforms, such as Jira, Slack and Microsoft Teams, where further credentials are stolen. The hacking group also uses these credentials to gain access to source code repositories on GitLab, GitHub and Azure DevOps, as it did with the attack on Microsoft.

“In some cases, DEV-0537 even called the organization’s help desk and attempted to convince the support personnel to reset a privileged account’s credentials,” Microsoft added. “The group used the previously gathered information (for example, profile pictures) and had a native-English-sounding caller speak with the help desk personnel to enhance their social engineering lure.”

The Lapsus$ gang set up a dedicated infrastructure in known virtual private server (VPS) providers and leverages consumer virtual private network service NordVPN for exfiltrating data — even using localized VPN servers that were geographically close to their targets to avoid triggering network detection tools. Stolen data is then used for future extortion or publicly released.

The Lapsus$ hacking group has made a name for itself over the past few weeks, compromising a number of prominent companies, including Nvidia and Samsung. Earlier this week, its latest victim was outed as Okta after the gang posted screenshots of the identity giant’s internal systems. Okta confirmed the breach, which it said was the result of Lapsus$ compromising a third-party customer support engineer and said it impacted around 2.5% of its 15,000 customers.

It’s currently unclear why Okta didn’t notify its customers about the compromise, which occurred during a five-day window in January, until now.

Read more:

Microsoft: Lapsus$ Gained ‘Limited Access’ In Hack Attack

Microsoft confirmed Tuesday that hacker group Lapsus$ gained “limited access” to the tech giant through a single compromised account while dismissing any elevation of risk from the attack.


In a blog post, Microsoft outlined how Lapsus$ attacks targets and acknowledged that the group used these tactics to force its way into the Redmond, Wash.-based company.

“No customer code or data was involved in the observed activities,” according to the blog post. “Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity. Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.”

[RELATED: Microsoft Azure DevOps Targeted By Hacker Group: Reports]

Lapsus$ – or DEV-0537, as Microsoft calls the group – said it breached internal source code repositories for Microsoft Azure DevOps in a post on messaging application Telegram on Sunday. The repository appears to show access to Bing- and Cortana-related projects.

“Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion,” according to the Microsoft post. “This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.”

The group has been active, previously targeting Okta, Nvidia, Samsung and other big tech companies. As many as 366 Okta customers might have had their data ‘acted upon’ following the Lapsus$ cyberattack against the identity security giant’s customer support subcontractor.

Kelly Yeh, president of Chantilly, Va.-based Microsoft partner Phalanx Technology Group, told CRN in an interview that giant companies such as Microsoft always have bullseyes on their backs and that, based on Microsoft’s response, the group hasn’t seized extremely sensitive data from Microsoft or customers.

“Still, this shows that even companies with great processes and security systems can be compromised, so vigilance and best practices should be utilized as much as practical,” Yeh said.

David Cox, vice president at G6 Communications, a Fort Wayne, Ind.-based Microsoft partner, told CRN in an interview that managed service providers (MSPs) notify their staff on what to look for and how to answer questions from clients.

“After we evaluate the potential impact on our clients’ operations, we work with them to develop a plan to address any concerns they have,” Cox said. “The last thing we do is add it to the long list of events we track.”

Lapsus$ “is a little different in that it doesn’t directly impact our clients the way the Log4j vulnerability did,” he said.

Information On Lapsus$

Lapsus$ uses a pure extortion and destruction model without ransomware payloads, according to Microsoft. Its earliest targets were in the United Kingdom and South America, but it’s expanded to government agencies, health care organizations and companies in a variety of sectors worldwide.

Lapsus$ advertises that it will buy credentials from employees of target organizations, uses subscriber identity module (SIM) swapping to take over accounts and intrudes on crisis communications of targets.

The group has also called organizations’ help desks to try to reset privileged accounts’ credentials using common recovery prompts such as “mother’s maiden name” and even using a native-English-sounding caller to speak with the help desk, according to Microsoft.

“Since many organizations outsource their help desk support, this tactic attempts to exploit those supply chain relationships, especially where organizations give their help desk personnel the ability to elevate privileges,” according to Microsoft.

Advice From Microsoft

To better defend against Lapsus$, Microsoft recommended that users strengthen multifactor authentication (MFA), require trusted endpoints, leverage modern authentication options for virtual private networks (VPNs), improve and monitor cloud security postures and train organizations in social engineering attacks, among other actions.

For MFA, users should avoid weak factors such as text messaging, secondary email addresses and voice approvals, instead using tools such as Fast Identity Online (FIDO) tokens, according to Microsoft.

For cloud security postures, because Lapsus$ uses legitimate credentials to gain access, security professionals should review Conditional Access user and session risk configurations and review risk detections in Azure Active Directory (AD) Identity Protection, among other actions.

Lapsus$ monitors and intrudes in incident response communications, so users should monitor these channels for unauthorized attendees and perform visual or audio verification, according to Microsoft.

Lapsus$ gang claims to have hacked Microsoft source code repositories

Microsoft is investigating claims that the Lapsus$ hacking group breached its internal Azure DevOps source code repositories.

Microsoft announced that is investigating claims that the Lapsus$ cybercrime gang breached their internal Azure DevOps source code repositories and stolen data.

Over the last months, the gang compromised other prominent companies such as NVIDIA, Samsung, Ubisoft, Mercado Libre, and Vodafone.

On Thursday, March 10, Lapsus$ ransomware gang announced they’re starting to recruit insiders employed within major technology giants and ISPs, such companies include Microsoft, Apple, EA Games and IBM. Their scope of interests includes – major telecommunications companies such as Claro, Telefonica and AT&T.

Notably, the actors are looking to buy remote VPN access and asking potential insiders to contact them privately via Telegram, they then reward them by paying for the access granted.

On Sunday, the Lapsus$ gang announced to have compromised Microsoft’s Azure DevOps server and shared a screenshot of alleged internal source code repositories.

One of the repositories contains the source code for Cortana and other Bing projects (e.g. ‘Bing_STC-SV’, ‘Bing_Test_Agile’, and “Bing_UX’).

Curiously the group has removed the initial announcement from its Telegram channel, and posted the message “Deleted for now will repost later”

Stay tuned …

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft)

Share this...


Share this: Email








Share On