2022-03-29

Microsoft Confirms LAPSUS$ Hack & Analysis

Level: 
Strategic
  |  Source: 
Microsoft
Technology
Share:

Microsoft Confirms LAPSUS$ Hack & Analysis

Industry: Technology | Level: Strategic | Source: Microsoft

Microsoft Security teams provide analysis on Lapsus$ (tracked by Microsoft as DEV-0537) data extortion group. Microsoft also confirms their data breach from Lapsus$ compromising project source code for Bing and Cortana. Microsoft statement for the impact and cause details "no customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity." Microsoft shares details of observed tactics, techniques and procedures (TTP). Initial access was obtained fairly similar to most threat actor groups, gathering credentials from malware information-stealers such as redline, purchasing through access brokers and recruiting target company insiders (specific industries targets include those in telecommunication and technology-related.) In regard to reconnaissance and privilege escalation, the group targets vulnerabilities on internal servers and searches internal repositories for credentials and secrets. The group gathers intelligence from joining crisis calls and/or observing internal message channels to understand the organization's incident response workflow. In the final stages of the attack, the hackers often create global admin accounts on cloud tenants "If they successfully gain privileged access to an organization’s cloud tenant (either AWS or Azure), DEV-0537 creates global admin accounts in the organization’s cloud instances, sets an Office 365 tenant-level mail transport rule to send all mail in and out of the organization to the newly created account, and then removes all other global admin accounts, so only the actor has sole control of the cloud resources, effectively locking the organization out of all access. After exfiltration, DEV-0537 often deletes the target’s systems and resources." The attackers utilize a VPN for data exfiltration however, are cognizant of alerts such as those involving impossible travel, and select a sensible egress location geographically based on their target.

Get trending threats published weekly by the Anvilogic team.

Sign Up Now