Microsoft: Lapsus$ Gained ‘Limited Access’ In Hack Attack

‘No customer code or data was involved in the observed activities,’ according to the blog post. ‘Our investigation has found a single account had been compromised, granting limited access.’

Microsoft confirmed Tuesday that hacker group Lapsus$ gained “limited access” to the tech giant through a single compromised account while dismissing any elevation of risk from the attack.

In a blog post, Microsoft outlined how Lapsus$ attacks targets and acknowledged that the group used these tactics to force its way into the Redmond, Wash.-based company.

“No customer code or data was involved in the observed activities,” according to the blog post. “Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity. Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.”

[RELATED: Microsoft Azure DevOps Targeted By Hacker Group: Reports]

Lapsus$ – or DEV-0537, as Microsoft calls the group – said it breached internal source code repositories for Microsoft Azure DevOps in a post on messaging application Telegram on Sunday. The repository appears to show access to Bing- and Cortana-related projects.

“Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion,” according to the Microsoft post. “This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.”

The group has been active, previously targeting Okta, Nvidia, Samsung and other big tech companies. As many as 366 Okta customers might have had their data ‘acted upon’ following the Lapsus$ cyberattack against the identity security giant’s customer support subcontractor.

Kelly Yeh, president of Chantilly, Va.-based Microsoft partner Phalanx Technology Group, told CRN in an interview that giant companies such as Microsoft always have bullseyes on their backs and that, based on Microsoft’s response, the group hasn’t seized extremely sensitive data from Microsoft or customers.

“Still, this shows that even companies with great processes and security systems can be compromised, so vigilance and best practices should be utilized as much as practical,” Yeh said.

David Cox, vice president at G6 Communications, a Fort Wayne, Ind.-based Microsoft partner, told CRN in an interview that managed service providers (MSPs) notify their staff on what to look for and how to answer questions from clients.

“After we evaluate the potential impact on our clients’ operations, we work with them to develop a plan to address any concerns they have,” Cox said. “The last thing we do is add it to the long list of events we track.”

Lapsus$ “is a little different in that it doesn’t directly impact our clients the way the Log4j vulnerability did,” he said.

Information On Lapsus$

Lapsus$ uses a pure extortion and destruction model without ransomware payloads, according to Microsoft. Its earliest targets were in the United Kingdom and South America, but it’s expanded to government agencies, health care organizations and companies in a variety of sectors worldwide.

Lapsus$ advertises that it will buy credentials from employees of target organizations, uses subscriber identity module (SIM) swapping to take over accounts and intrudes on crisis communications of targets.

The group has also called organizations’ help desks to try to reset privileged accounts’ credentials using common recovery prompts such as “mother’s maiden name” and even using a native-English-sounding caller to speak with the help desk, according to Microsoft.

“Since many organizations outsource their help desk support, this tactic attempts to exploit those supply chain relationships, especially where organizations give their help desk personnel the ability to elevate privileges,” according to Microsoft.

Advice From Microsoft

To better defend against Lapsus$, Microsoft recommended that users strengthen multifactor authentication (MFA), require trusted endpoints, leverage modern authentication options for virtual private networks (VPNs), improve and monitor cloud security postures and train organizations in social engineering attacks, among other actions.

For MFA, users should avoid weak factors such as text messaging, secondary email addresses and voice approvals, instead using tools such as Fast Identity Online (FIDO) tokens, according to Microsoft.

For cloud security postures, because Lapsus$ uses legitimate credentials to gain access, security professionals should review Conditional Access user and session risk configurations and review risk detections in Azure Active Directory (AD) Identity Protection, among other actions.

Lapsus$ monitors and intrudes in incident response communications, so users should monitor these channels for unauthorized attendees and perform visual or audio verification, according to Microsoft.