Microsoft confirms it was hacked as Lapsus$ leaks 37GB of source code

Microsoft headquarters

Microsoft has confirmed reports that it was hacked by the Lapsus$ extortion group, also known as DEV-0537. While admitting that the hackers managed to steal source code, the company is simultaneously trying to downplay the incident.

Lapsus$ shared a 37GB archive online containing partial source code for Cortana and Bing, but Microsoft insists that no customer data was compromised. The company says that “our investigation has found a single account had been compromised, granting limited access.”

See also:

Microsoft has been tracking the activities of the group — known to have targeted other big names including Okta, Ubisoft and Samsung — for some time now. It notes that “DEV-0537 has dedicated infrastructure they operate in known virtual private server (VPS) providers and leverage NordVPN for its egress points. DEV-0537 is aware of detections such as impossible travel and thus picked VPN egress points that were geographically like their targets”.

In a post with input from the Microsoft Threat Intelligence Center (MSTIC), the Detection and Response Team (DART) and the Microsoft 365 Defender Threat Intelligence Team, the company says:

This week, the actor made public claims that they had gained access to Microsoft and exfiltrated portions of source code. No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity. Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk. The tactics DEV-0537 used in this intrusion reflect the tactics and techniques discussed in this blog. Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.

Although Microsoft may insist that the “viewing [of] source code does not lead to elevation of risk”, the fact that such as high-profile company has fallen victim to an attack is extremely concerning. The need for vigilance is something that security firms are only too aware off, and Keith Neilson of CloudSphere warns:

While ransomware investigations remain ongoing, with extortion groups targeting high-profile organizations like Microsoft and Okta, businesses are right to remain on high alert. Malicious actors like Lapsus$ are finding unique ways to avoid deploying true ransomware by instead infiltrating systems, stealing data and in turn, leveraging that data to blackmail their victims. Given this attack tactic, businesses across all industries should prioritize managing access control through cyber asset management. When companies leverage a cyber asset management strategy, they not only gain comprehensive visibility of all cyber assets in the attack surface, but also have the ability to establish and enforce security guardrails to detect potential risks in real-time.

Microsoft offers up a number of its own recommendations:

Do:

Require Multifactor Authenticator for all users coming from all locations including perceived trusted environments, and all internet-facing infrastructure–even those coming from on-premises systems.Leverage more secure implementations such as FIDO Tokens, or the Microsoft Authenticator with number matching. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.Use Azure AD Password Protection to ensure that users aren’t using easily-guessed passwords. Our blog about password spray attacks outlines additional recommendations.Leverage passwordless authentication methods such as Windows Hello for Business, Microsoft Authenticator, or FIDO tokens to reduce risks and user experience issues associated with passwords.

Do NOT:

Use weak MFA factors such as text messages (susceptible to SIM swapping), simple voice approvals, simple push (instead, use number matching), or secondary email addresses.Include location-based exclusions. MFA exclusions allow an actor with only one factor for a set of identities to bypass the MFA requirements if they can fully compromise a single identity.Allow credential or MFA factor sharing between users.

Require healthy and trusted endpoints

Require trusted, compliant, and healthy devices for access to resources to prevent data theft.Turn on cloud-delivered protection in Microsoft Defender Antivirus to cover rapidly evolving attacker tools and techniques, block new and unknown malware variants, and enhance attack surface reduction rules and tamper protection.

You can read through the full blog post here.

Author: Martha Meyer