Microsoft Confirms Lapsus$ Hackers Stole Source Code

Microsoft confirms Lapsus$ compromised "a single account" with "limited access" and exfiltrated portions of source code for some of its products.

Microsoft hacked

25th March Update: Microsoft shares new detection, hunting, and mitigation information.
﹉﹉﹉﹉﹉﹉﹉﹉﹉﹉﹉﹉﹉﹉﹉﹉﹉﹉﹉﹉﹉

The Lapsus hacker group claimed to hack Microsoft and leaked the source code of Microsoft Bing, Bing Maps, and Cortana. The group posted a file that it claimed contains partial source code for Bing and Cortana in an archive holding nearly 37GB of data.

On Tuesday evening, after investigating, Microsoft confirmed the group that it calls DEV-0537 compromised “a single account” and stole parts of source code for some of its products. A blog post on its security site says Microsoft investigators have been tracking the Lapsus$ group for weeks, and details some of the methods they’ve used to compromise victims’ systems. 

According to the Microsoft Threat Intelligence Center (MSTIC), “the objective of DEV-0537 actors is to gain elevated access through stolen credentials that enable data theft and destructive attacks against a targeted organization, often resulting in extortion. Tactics and objectives indicate this is a cybercriminal actor motivated by theft and destruction.”

Also Read:  

 Microsoft also noted that their investigation has found a single account had been compromised, granting limited access. "No customer code or data was involved in the observed activities."- they added.

Microsoft acknowledges that they do not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk. The tactics DEV-0537 used in this intrusion reflect the tactics and techniques discussed in this blog post

Strengthen MFA implementation

In its blog post, Microsoft outlines a number of steps other organizations can take to improve their security, including requiring multifactor authentication, not using “weak” multifactor authentication methods like text messages or secondary email, educating team members about the potential for social engineering attacks, and creating processes for potential responses to Lapsus$ attacks.

Multifactor authentication (MFA) is one of the primary lines of defense against DEV-0537. While this group attempts to identify gaps in MFA, it remains a critical pillar in identity security for employees, vendors, and other personnel alike. See the following recommendations to implement MFA more securely:

Do's:

  • Require Multifactor Authenticator for all users coming from all locations including perceived trusted environments, and all internet-facing infrastructure–even those coming from on-premises systems.
  • Leverage more secure implementations such as FIDO Tokens, or the Microsoft Authenticator with number matching. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.
  • Use Azure Active Directory Password Protection to ensure that users aren’t using easily-guessed passwords. Our blog about password spray attacks outlines additional recommendations.
  • Leverage passwordless authentication methods such as Windows Hello for Business, the Microsoft Authenticator, or FIDO tokens to reduce risks and user experience issues associated with passwords.

Don't:

  • Use weak MFA factors such as text messages (susceptible to SIM swapping), simple voice approvals, simple push (instead, use number matching), or “secondary email” based MFA methods.
  • Include location-based exclusions. MFA exclusions allow an actor with only one factor for a set of identities to bypass the MFA requirements if they can fully compromise a single identity.
  • Allow credential or MFA factor sharing between users.

Detecting, hunting, and responding to Lapsus Hacker

The software giant says- "Microsoft continues to track DEV-0537’s activities and TTPs, we're sharing new detection, hunting, and mitigation information to give you additional insights on remaining vigilant against these attacks."

Now, Microsoft security products provide several detections that can help identify activities resembling DEV-0537 tactics. The company also shares several Microsoft 365 Defender, Microsoft Defender for Cloud Apps, and Microsoft Sentinel hunting and detection queries on their GitHub repository.

Microsoft 365 Defender hunting queries

Microsoft Sentinel hunting queries

Microsoft Sentinel + Okta logs hunting queries

  • Admin privilege granted (Okta) – This query searches for successful grant of administrator permissions to user/groups. Adversaries often attempt to assign administrator permission to users/group to maintain access as well as to elevate privileges. 
  • Create API Token (Okta) – This query searches for attempts to create a new API Token. Okta API tokens are used to authenticate requests to Okta APIs.
  • Initiate impersonation session (Okta) – This query searches for impersonation events used in LAPSUS$ activity. This query searches for impersonation events used in LAPSUS$ activity. User.session.impersonation are rare events, normally triggered when an Okta Support person requests admin access for troubleshooting.
  • Rare MFA Operations (Okta) – Multi-factor authentication (MFA) helps prevent credential compromise. This query searches for rare MFA operations like deactivating, updating, resetting, and attempts to bypass MFA.

Post a Comment