Microsoft confirms they were hacked by the extortion group Lapsus$

Microsoft Security

Microsoft has confirmed that one of their employees has been compromised by the Lapsus$ hacking group, allowing the threat actors to access and steal parts of their source code.

Last night, the Lapsus$ gang released 37GB of source code stolen from Microsoft’s Azure DevOps server. The source code is for several internal Microsoft projects, including for Bing, Cortana, and Bing Maps.

Leaked source code projectsLeaked source code projects

In a new blog post published tonight, Microsoft has confirmed that one of their employees’ accounts has been hacked by Lapsus$, providing limited access to source code repositories.

“There were no customer codes or data involved in the observed activity. Our investigation revealed that a single account had been compromised, allowing restricted access. Our cybersecurity response teams took swift action to recover the compromised account and prevent further activity.” , Microsoft explains in an advisory on the Lapsus$ threat actors.

“Microsoft does not rely on code secrecy as a security measure, and viewing source code does not increase the risk. The tactics DEV-0537 uses in this breach mirror the tactics and techniques discussed in this blog.”

“Our team was already investigating the compromised account based on threat intelligence when the actor made his intrusion public. This disclosure escalated our action allowing our team to intervene and suspend the actor mid-operation, limiting the broader impact .”

While Microsoft didn’t share how the account was hacked, they did provide a general overview of the Lapsus gang’s tactics, techniques, and procedures (TTPs) seen in multiple attacks.

Focus on compromised credentials

Microsoft tracks the Lapsus$ data extortion group as “DEV-0537” and says they mainly focus on getting compromised credentials for first-time access to corporate networks.

These credentials are obtained using the following methods:

Using the malicious Redline password stealer to obtain passwords and session tokens Buy credentials and session tokens on criminal underground forums Employees pay to targeted organizations (or vendors/business partners) for credentials access and multi-factor authentication (MFA) approval Search public code repositories for exposed credentials

Redline password stealer has become the malware of choice for stealing credentials and is often spread through phishing emails, pubs, warez sites and YouTube videos.

Once Laspsus$ gains access to compromised credentials, they use it to log into a company’s public devices and systems, including VPNs, virtual desktop infrastructure, or identity management services, like Okta, which they breached in January.

Microsoft says they use session replay attacks on accounts that use MFA, or continuously trigger MFA notifications until the user gets tired of them and confirms that the user should be able to login.

Microsoft says that in at least one attack, Lapsus$ carried out a SIM swap attack to take control of the user’s phone numbers and text messages to access MFA codes needed to log into an account.

Once they access a network, the threat actors use AD Explorer to find accounts with higher privileges and then target development and collaboration platforms, such as SharePoint, Confluence, JIRA, Slack, and Microsoft Teams, where other credentials are stolen.

The hacking group also uses these credentials to access source code repositories on GitLab, GitHub, and Azure DevOps, as we saw in the attack on Microsoft.

“DEV-0537 is also known to exploit vulnerabilities in Confluence, JIRA, and GitLab for privilege escalation,” Microsoft explains in their report.

“The group has compromised the servers these applications run on in order to get the credentials of a privileged account or run in the context of said account and dump the credentials from there.”

The threat actors will then collect valuable data and exfiltrate it over NordVPN connections to hide their locations, while launching devastating attacks on victims’ infrastructure to activate incident response procedures.

The threat actors then follow these procedures through the victim’s Slack or Microsoft Teams channels.

Protection against Lapsus$

Microsoft recommends that business entities take the following steps to protect against threat actors such as Lapsus$:

Strengthen MFA deployment Require healthy and trusted endpoints Leverage modern VPN authentication options Strengthen and monitor your cloud security posture Improve awareness of social engineering attacks Establish operational security processes in response to DEV-0537 intrusions

Lapsus$ has recently launched numerous attacks against the company, including those against NVIDIA, Samsung, Vodafone, Ubisoft, Mercado Libre and now Microsoft.

It is therefore strongly recommended that security and network administrators become familiar with the tactics used by this group by reading the report from Microsoft.

This post Microsoft confirms they were hacked by the extortion group Lapsus$

was original published at “”