Microsoft has earned the distinction to be the latest tech behemoth to be breached by the hacker group Lapsus$, and the company confirmed the same. This comes after the hacker group compromised major companies such as Nvidia, Samsung, Ubisoft, or Okta, and it does not look to stop anytime soon.
Microsoft’s confirmation came after Lapsus$ already shared on its Telegram channel internal data such as a downloadable compressed 9GB archive file that includes most of the source code of Bing Maps, and about half of that of Bing and Cortana – overall, data on over 250 internal Microsoft projects.
If you are wondering how this was possible, Microsoft has an answer – the group compromised the account of a Microsoft employee on an Azure DevOps server to get “limited access” to the company’s systems and steal the data.
In recent times, the hacker group has broadened its reach and is no longer confined to targeting organizations solely in South America and the UK. Its “pure extortion and destruction model” does seem to be the way Lapsus$ breaches the biggest players in the game, and the results have shown that it is a highly effective strategy. The group initially employs various techniques to compromise user identities to gain initial access to the company.
Once that is done, they access internet-facing systems and applications such as VPNs, RDPs, and others. Then it gains access to look for additional credentials that could be used to gain access to corporate systems. Microsoft observes that DEV-0537 (as it has termed the Lapsus$ group) uses AD Explorer, a publicly available tool, to enumerate all users and groups in the target network to understand which accounts might have higher privileges.
It then leverages access to cloud assets to create new virtual machines within the target’s cloud environment to further breach the company. Once they have obtained the data, they then extort the company to prevent the public release of data or releases it anyway. It already posted some screenshots on Telegram that suggest that shows internal projects including Bing and Cortana’s source code, and WebXT compliance engineering projects, though they have been deleted later on.
Microsoft assured that no customer code or data had been compromised regarding the latest breach, and its cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity.
“Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk. Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact,” the company said.