Microsoft admits to being hacked by hacker group LAPSUS$

by do son · March 23, 2022

Yesterday, the South American hacker group LAPSUS$ announced that it had penetrated Microsoft’s internal development environment and stole the source code of some product lines. The affected product lines are mainly Microsoft Bing Search, Bing Maps, and Microsoft Cortana. The decompressed data package size is 13GB but the potential value is not high.

At that time, security researchers speculated that Microsoft had discovered the attack and protected it, otherwise hackers should continue to lurk and steal data. Microsoft’s latest security blog post confirms this, saying the company had detected related threats before the hackers released the data.

The latest investigation report is jointly released by the Microsoft Threat Intelligence Center (MSTIC), Detection and Response Team (DART), and Microsoft 365 Defender Threat Intelligence Team. Microsoft has dubbed the hacking group DEV-0537, and the hacking group is for pure extortion and sabotage, not a preference for deploying crypto-ransomware.

DEV-0537 publicly posted on social media that they wanted to buy the internal accounts of large enterprises, and they were willing to provide compensation for these accounts. Researchers explain:

In some cases, DEV-0537 first targeted and compromised an individual’s personal or private (non-work-related) accounts giving them access to then look for additional credentials that could be used to gain access to corporate systems. Given that employees typically use these personal accounts or numbers as their second-factor authentication or password recovery, the group would often use this access to reset passwords and complete account recovery actions.

If the target’s internal network is successfully compromised, DEV-0537 will also search for unpatched software vulnerabilities on internal servers, thereby escalating their privileges.

The Microsoft security team also admitted at the end of the blog post that the company was indeed hacked by this hacker group, and the leaked data did not contain customer code and data. Microsoft said it had detected the threat before the hacking group released the data, and an investigation found accounts had been compromised and had been granted limited access. Microsoft said the company does not rely on securing source code to ensure security, so these source code and data leaks will not have any impact on Microsoft.

Microsoft makes the following recommendations for businesses:

DEV-0537 leverages legitimate credentials to perform malicious actions against customers. Since these credentials are legitimate, some activity performed might seem consistent with standard user behavior. Use the following recommendations to improve your cloud security posture:

Review your Conditional Access user and session risk configurations:

Block or force password reset for high/medium user risk for all users

Block high sign-in risk logins for all users

Block medium sign-in risk logins for privileged users

Require MFA for medium sign-in risk logins for all other users

Alerts should be configured to prompt a review on high-risk modification of tenant configuration, including but not limited to:

Modification of Azure AD roles and privileged users associated with those roles

Creation or modification of Exchange Online transport rules

Modification of tenant-wide security configurations

Review risk detections in Azure AD Identity Protection

Risk detections highlight risky users and risky sign-ins

Administrators can review and confirm individual sign-ins listed here as compromised or safe

More information is available here on how to Investigate risk Azure AD Identity Protection

Microsoft admits to being hacked by hacker group LAPSUS$

Search

Brilliantly

Content & Links