On Wednesday, Microsoft published a long cybersecurity blog revealing that its systems had been hacked by the hacker group Lapsus$. According to the paper, Microsoft uncovered a common thread of tactics used to get into computer systems and networks of multiple organizations.

Other major corporations, like Nvidia, Samsung, Ubisoft, Okta, and others, have been suspected of being targeted by the same group. Okta first disputed the breach but later acknowledged that 366 of its clients were likely compromised in a statement.

Headquartered in South America, Lapsus$ is known for openly exposing details about their assaults and publishing screenshots of stolen data on social media platforms like Telegram and Twitter. Here’s a quick rundown of the current cybersecurity crisis.

How was Microsoft hacked?

This week, the Lapsus$ organization claimed to have stolen data from Microsoft and gained access to source code for essential Microsoft products, including Bing, Cortana, and Bing Maps. On the other hand, Microsoft indicated that while no customer code or data was compromised, their investigation revealed that a single account had been compromised, giving the hackers limited access.

The statement said, “Our cybersecurity response teams swiftly engaged to rectify the compromised account and prevent further behavior.” The company claims that source code confidentiality is not a security issue and that investigating it does not indicate a greater danger to goods.

“Our team was already reviewing the hacked account based on threat information when the culprit publicly announced their infiltration.” According to the statement, “this public exposure heightened our reaction, allowing our team to engage and interrupt the actor mid-operation, minimizing the larger harm.”

All about the hack

On Wednesday, Microsoft confirmed that the Lapsus$ hacker group, which had previously claimed to have stolen 37 GB of Microsoft source code, had infiltrated and taken data from the company’s security system. 

“We’ve tracked the behavior we’ve seen to a threat organization known as DEV-0537, also known as LAPSUS$,” Microsoft added. “Initially, DEV-0537 targeted businesses in the United Kingdom and South America, but it swiftly expanded to cover government, technology, telecom, media, retail, and healthcare organizations.”

According to Microsoft, the Lapsus$ hackers were only able to acquire “limited access” to the company’s data by hacking into a single account. The Redmond behemoth says it acted to stop the assault as soon as it was made aware. As per Microsof, the hackers did not get access to client code or data, but the company recommends its users take basic security steps.

Even though the Lapsus$ hackers claimed to have stolen code from Cortana and Bing, Microsoft did not specify what the hackers had access to. The following is Microsoft’s full explanation of what happened:

“This week, the actor made public claims that they had gained access to Microsoft and had exfiltrated source code. There was no custom code or data in the actions that were seen. We determined that just one account had been hijacked during our investigation, giving it restricted access. Our cybersecurity response teams moved quickly to restore the account and prevent further activity.”

Microsoft’s security policy does not rely on code secrecy, and studying source code does not raise the risk. The methods and techniques used by DEV-0537 in this invasion are similar to those described in this blog. Our team already analyzed the hacked account based on threat information when the attacker publicly announced their intrusion. Our team intervened and halted the actor in the middle of his operation due to the public outcry, minimizing the more significant damage.

Microsoft recommends its users securely utilize Multi Factor authentication, including not using weak MFA factors like text messages or additional email addresses. The company continues to examine the most recent attacks by this hacker group. The organization also recommends that employees be educated on help desk verification procedures and become more aware of social engineering attacks.

Who else has been targeted by Lapsus$? Why is the attack on Okta in focus?

According to Microsoft, Lapsus$ has targeted several organizations. On their official Telegram channel and other social media sites, Lapsus$ has also been discussing these hacks. Unlike other groups who prefer to operate under the surface, the gang is not afraid to take responsibility for their actions.

According to reports, NVIDIA, Samsung, Ubisoft, and Okta are among the firms targeted by hackers. The Okta assault is especially troubling because the San Francisco-based company provides online authentication services to several well-known organizations, including FedEx, T-Mobile, Moody’s, Coinbase Global, and cloud services provider Cloudflare.

According to the company, around 366 of Okta’s clients are compromised, although the attackers never had direct access to their whole system. According to Okta, hackers obtained access to Okta via “a workstation that was logged into Okta,” according to Okta. The attack was identified as part of an unsuccessful attempt to hack into a customer support engineer’s account in January 2022. Okta had issued a warning to those in danger at the time.

According to the statement, the situation is like “walking away from your computer at a coffee shop, where a stranger has (virtually in this case) sat down and is using the mouse and keyboard”, according to the statement.

“If true, the Okta breach might explain how Lapsus$ has achieved its recent streak of successes,” explains Lotem Finkelstein, Check Point Software’s Head of Threat Intelligence and Research. Thousands of organizations use Okta to secure and manage their identities. The cyber gang could access company networks and apps using private keys obtained through Okta. As a result, a breach at Okta might have catastrophic consequences.”

Okta’s services for Single Sign-On and Multi-factor Authentication are used by other parties to allow other users to log in to online apps and websites.

Meanwhile, Nvidia says it’s “currently assessing the nature and scope of the event.” It was decided that the incident was a ransomware assault.

In the case of Samsung, the company revealed that it had access to over 200GB of data, including source code for encryption and biometric unlocking systems for Galaxy handsets.

According to Samsung, no personal data belonging to employees or customers was stolen, but a security breach affected “internal company data.” According to the statement, the attack affected source code tied to Galaxy devices.

How exactly has Lapsus$ managed to carry out these attacks?

According to Microsoft’s blog post, the attacks were carried out in several ways, but the organization appears to have employed a range of methods. In the blog post, Lapsus$ is referred to as DEV-0537, and hackers rely on “large-scale social engineering and extortion activities against multiple organizations…”, according to Microsoft.

In social engineering attacks, cybercriminals employ phishing attempts to deceive people into providing sensitive personal information. This data can then be used to gain access to other accounts. They may, for example, invite you to fill out a survey in which you provide personal information such as your mother’s maiden name, favorite dish, birth date, and so on. This information might be used to guess account passwords or security questions.

According to Microsoft, the group employs a “pure extortion and destruction tactic without distributing ransomware payloads.” It began by focusing on organizations in the United Kingdom and South America but has expanded to include organizations worldwide. Government, technology, telecommunications, media, retail, and healthcare are their target industries. It also aims to steal cryptocurrency assets from bitcoin exchanges.

According to Microsoft, the gang also uses techniques that other threat actors less typically use. “SIM-swapping to take over accounts and to access personal email accounts of individuals at target organizations” are only a few examples.

In other cases, it has even paid employees or suppliers at a company to get access to protected networks and systems. Another example includes the gang phoning a company’s help desk to have a target’s credentials reset. The team used extra information on the target to trick the helpdesk into providing access.

For the time being, Microsoft urges businesses to defend themselves against such attacks by implementing Multi-Factor Authentication (MFA). It also warns against using SMS messages as a weak MFA element since they are prone to SIM swapping. It also cautioned against relying on simple voice approvals, push notifications, or “secondary email”-based MFA.

It also proposes that employees and IT support desks improve their understanding of social engineering attacks.

Who is behind LAPSUS$?

The most challenging part of analyzing LAPSUS$ is figuring out who is behind the cybercriminal group. According to security expert Marcus Hutchins, onlookers have been perplexed by the group, which appears to be “talented and inept at the same time,” according to security expert Marcus Hutchins.

On the one hand, the group boasts a long list of high-profile victims that even the most seasoned hackers would be proud to have on their mantle. The organization, on the other hand, is devoted to operational security. Rather than staying anonymous, it makes its acts known on a public Telegram channel, where people can even vote on which company’s data should be disclosed next.

“They appear to be young yet are claiming credit for hacking top-tier corporations,” Hutchins added, echoing independent security researcher Bill Demirkapi’s assessment that the gang “appear to be completely unskilled with OPSEC,” boasting about having access to Microsoft’s internal DevOps infrastructure while still exfiltrating source code in their communication.”

According to CHECKPOINT ANALYSTS, the LAPSUS$ hackers are Portuguese and from Brazil. Their first significant breach happened in December 2021, when the operation began and targeted Brazil’s Ministry of Health and other government agencies.

According to a second breaking story from Bloomberg, the entire organization is run by a 16-year-old Oxfordshire resident, with more members in the UK and Brazil.

On March 24, seven people were arrested in connection with the LAPSUS gang in the United Kingdom, but the City of London Police would not disclose if the 16-year-old was one of them. The seven people arrested varied from 16 to 21 years old; they were all released, but the case is still being investigated.

How does LAPSUS$ operate?

In March 2022, Microsoft released a landmark report detailing the company’s research into the organization, showing the group’s inner workings and how it was able to hack some of the world’s top corporations.

Microsoft did not say who was behind the organization or where it was based, just that LAPSUS$ was a large-scale social engineering and extortion operation based on extortion and destruction.

The group’s infantile perspective stands in stark contrast to its undoubted ability and complexity in carrying out strikes. According to Microsoft, LAPSUS$ used a variety of attack strategies, and some were used less frequently than other, more experienced threat actors.

So, this was all about how the source code of Microsoft got hacked by Lapsus$. As a bonus I will leave you with some cyber-security tips of good practices if you want to save yourself from such attacks: 

  • Get your themes from reputable websites, such as your CMS’s official or well-known commercial sites.
  • Stick to popular plugins and limit the number of plugins you utilize. This reduces how an attacker may obtain access to your site while simultaneously increasing its performance.
  • Regularly check for updates and apply them as soon as they become available.
  • Use a strong password for your administrative and FTP accounts.
  • Sign up for Google Webmaster Tools and scan your website for faults.

There you go! We would love to hear your thoughts on the Lapsus$ attack down below. 

Also Read: Technical Debt And How Can Microsoft Azure DevOps Help?