Microsoft has acknowledged the Lapsus$ extortion gang compromised a single employee account and had “limited access” to its systems, saying the gang’s boast it had stolen company source code allowed it to interrupt the attack “in mid-operation.”
The statement issued Tuesday by the company’s security teams also says “no customer code or data was involved in the observed activities.”
However, Lapsus$ never claimed that customer code was stolen. According to the Bleeping Computer news site, the gang posted a screen shots of what appears to be Microsoft’s Azure DevOps account. When it began leaking 37 GB of data, the gang said it contained most of the source code for Microsoft’s Bing search engine and some of the code for Bing Maps and Cortana.
In its Tuesday statement and detailed analysis of the gang’s tactics, Microsoft didn’t say anything about copied data. What it did say is that the company does not rely on the secrecy of code as a security measure, and viewing source code does not lead to elevation of risk.
“Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.”
Microsoft said it was tracking Lapsus$ — or, what it calls DEV-0537 — before the gang announced its attack this week. “Over time, we have improved our ability to track this actor and helped customers minimize the impact of active intrusions and in some cases worked with impacted organizations to stop attacks prior to data theft or destructive actions,” it said.
Lapsus$ has gained notoriety for claiming attacks on graphics card maker Nvidia, Samsung and online games developer Ubisoft.
Its early attacks targeted cryptocurrency accounts, said Microsoft, before moving on to telecommunication, higher education, and government organizations in South America. “Based on observed activity, this group understands the interconnected nature of identities and trust relationships in modern technology ecosystems and targets telecommunications, technology, IT services and support companies to leverage their access from one organization to access the partner or supplier organizations. They have also been observed targeting government entities, manufacturing, higher education, energy, retailers, and healthcare.”
The gang uses a number of tactics for initial compromise, says the report, including
- deploying the malicious Redline password stealer to obtain passwords and session tokens;
- purchasing credentials and session tokens from criminal underground forums;
- paying employees at targeted organizations (or suppliers/business partners) for access to credentials and MFA approval;
- and searching public code repositories for exposed credentials.
If an organization uses multifactor authentication as an extra step to protect logins, the gang has been seen using several tactics to get around it:
- session token replay and stolen passwords to trigger simple-approval MFA prompts, hoping that the legitimate user of the compromised account eventually consents to the prompts and grants the necessary approval;
- if an employee’s personal email or smartphone is hacked they use that access to reset passwords and complete account recovery actions.
Once inside Lapsus$ will leverage access to a victim organization’s cloud assets to create new virtual machines which they use to spread deeper into the IT network.
If they successfully gain privileged access to an organization’s cloud tenant (either AWS or Azure), the gang creates global admin accounts in the organization’s cloud instances, sets an Office 365 tenant level mail transport rule to send all mail in and out of the organization to the newly created account, and then removes all other global admin accounts. That way the gang has sole control of the cloud resources, effectively locking the organization out of all access. After data exfiltration, it often deletes the target’s systems and resources either on premises or in the cloud.
With its access, Lapsus$ has been seen joining the organization’s crisis communication calls and internal discussion boards (such as Slack, Teams, conference calls and others) to understand the incident response workflow and their corresponding response. This gives the gang insight into the victim’s state of mind, their knowledge of the intrusion, and a venue to initiate extortion demands. In some cases, Microsoft adds, the gang has extorted victims to prevent the release of stolen data, and in others, no extortion attempt was made before it publicly leaked the data it collected.
In some cases, a gang member even called the organization’s help desk and attempted to convince the support personnel to reset a privileged account’s credentials, says the report. “The group used the previously gathered information (for example, profile pictures) and had a native-English-sounding caller speak with the help desk personnel to enhance their social engineering lure. Observed actions have included DEV-0537 answering common recovery prompts such as “first street you lived on” or “mother’s maiden name” to convince help desk personnel of authenticity.
“Since many organizations outsource their help desk support, this tactic attempts to exploit those supply chain relationships, especially where organizations give their help desk personnel the ability to elevate privileges,” said the report.
Still, MFA “is one of the primary lines of defense” against Lapsus$’s current tactics, Microsoft says. “While this group attempts to identify gaps in MFA, it remains a critical pillar in identity security for employees, vendors, and other personnel alike.”
Proper implementation of MFA is vital. Microsoft says IT leaders shouldn’t
- use weak MFA factors such as text messages (susceptible to SIM swapping), simple voice approvals, simple push (instead, use number matching), or secondary email addresses;
- include location-based exclusions. MFA exclusions allow an actor with only one factor for a set of identities to bypass the MFA requirements if they can fully compromise a single identity;
- allow credential or MFA factor sharing between users.