Site icon IT World Canada

Microsoft admits Lapsus$ hacked an employee’s account; provides analysis of group’s tactics

security and privacy issues

Shutterstock.com

Microsoft has acknowledged the Lapsus$ extortion gang compromised a single employee account and had “limited access” to its systems, saying the gang’s boast it had stolen company source code allowed it to interrupt the attack “in mid-operation.”

The statement issued Tuesday by the company’s security teams also says “no customer code or data was involved in the observed activities.”

However, Lapsus$ never claimed that customer code was stolen. According to the Bleeping Computer news site, the gang posted a screen shots of what appears to be Microsoft’s Azure DevOps account. When it began leaking 37 GB of data, the gang said it contained most of the source code for Microsoft’s Bing search engine and some of the code for Bing Maps and Cortana.

In its Tuesday statement and detailed analysis of the gang’s tactics, Microsoft didn’t say anything about copied data. What it did say is that the company does not rely on the secrecy of code as a security measure, and viewing source code does not lead to elevation of risk.

“Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.”

Microsoft said it was tracking Lapsus$ — or, what it calls DEV-0537 — before the  gang announced its attack this week. “Over time, we have improved our ability to track this actor and helped customers minimize the impact of active intrusions and in some cases worked with impacted organizations to stop attacks prior to data theft or destructive actions,” it said.

Lapsus$ has gained notoriety for claiming attacks on graphics card maker Nvidia, Samsung and online games developer Ubisoft.

Its early attacks targeted cryptocurrency accounts, said Microsoft, before moving on to telecommunication, higher education, and government organizations in South America. “Based on observed activity, this group understands the interconnected nature of identities and trust relationships in modern technology ecosystems and targets telecommunications, technology, IT services and support companies to leverage their access from one organization to access the partner or supplier organizations. They have also been observed targeting government entities, manufacturing, higher education, energy, retailers, and healthcare.”

Lapsus$ tactics

The gang uses a number of tactics for initial compromise, says the report, including

If an organization uses multifactor authentication as an extra step to protect logins, the gang has been seen using several tactics to get around it:

Once inside Lapsus$ will leverage access to a victim organization’s cloud assets to create new virtual machines which they use to spread deeper into the IT network.

If they successfully gain privileged access to an organization’s cloud tenant (either AWS or Azure), the gang creates global admin accounts in the organization’s cloud instances, sets an Office 365 tenant level mail transport rule to send all mail in and out of the organization to the newly created account, and then removes all other global admin accounts. That way the gang has sole control of the cloud resources, effectively locking the organization out of all access. After data exfiltration, it often deletes the target’s systems and resources either on premises or in the cloud.

With its access, Lapsus$ has been seen joining the organization’s crisis communication calls and internal discussion boards (such as Slack, Teams, conference calls and others) to understand the incident response workflow and their corresponding response. This gives the gang insight into the victim’s state of mind, their knowledge of the intrusion, and a venue to initiate extortion demands. In some cases, Microsoft adds, the gang has extorted victims to prevent the release of stolen data, and in others, no extortion attempt was made before it publicly leaked the data it collected.

In some cases, a gang member even called the organization’s help desk and attempted to convince the support personnel to reset a privileged account’s credentials, says the report. “The group used the previously gathered information (for example, profile pictures) and had a native-English-sounding caller speak with the help desk personnel to enhance their social engineering lure. Observed actions have included DEV-0537 answering common recovery prompts such as “first street you lived on” or “mother’s maiden name” to convince help desk personnel of authenticity.

“Since many organizations outsource their help desk support, this tactic attempts to exploit those supply chain relationships, especially where organizations give their help desk personnel the ability to elevate privileges,” said the report.

Still, MFA “is one of the primary lines of defense” against Lapsus$’s current tactics, Microsoft says. “While this group attempts to identify gaps in MFA, it remains a critical pillar in identity security for employees, vendors, and other personnel alike.”

Proper implementation of MFA is vital. Microsoft says IT leaders shouldn’t

Exit mobile version