Missed a session at the Data Summit? View here on demand.
The threat actor known as Lapsus$ operates on a “pure extortion and destruction model” and, unlike other hacker groups, does not appear to “cover its tracks,” according to Microsoft security researchers.
Lapsus$ claims to have hacked and leaked data on a number of major technology vendors in the past month. The group alleges in recent days that it has used its Telegram account to leak Microsoft’s source code and to post screenshots taken after violating a third-party identity and access management provider Okta.
In a blog post today, Microsoft researchers acknowledged that the threat group was given “restricted access” to its systems. An Okta chief executive also admitted today that an attacker had access to the account of a customer service representative who worked for a third-party provider for five days in January.
In recent weeks, vendors including Nvidia and Samsung Electronics had confirmed the threat actor’s data theft.
The Microsoft blog post says the researchers at the company had already tracked Lapsus$, which it refers to as DEV-0537, prior to the alleged source code leak this week.
Key points from the blog:
Lapsus$ has been responsible for a “massive social engineering and extortion campaign” in recent weeks and is engaged in a “unique blend of craft”. The group “is known for using a pure extortion and destruction model without deploying ransomware payloads.” Lapsus$ started by targeting organizations in the UK and South America (the group is believed to be operating out of South America). But it has “expanded to global targets, including organizations in the government, technology, telecom, media, retail and healthcare sectors.”
Doesn’t cover its tracks
Notably, “unlike most under-the-radar activity groups,” Lapsus$ “doesn’t seem to be covering its tracks,” the Microsoft researchers said.
“They even go so far as to announce their attacks on social media or advertise their intent to buy credentials from employees of target organizations,” the researchers said in the post.
The social engineering and “identity-focused tactics” employed by the group “require detection and response processes similar to insider risk programs,” Microsoft said in the post, “but also include short response times needed to target malicious external threats.” to grab. “
From the message:
The actors behind DEV-0537 focused their social engineering efforts on gathering knowledge about their target’s business operations. Such information includes in-depth knowledge of end users, team structures, help desks, crisis response workflows, and supply chain relationships. Examples of these social engineering tactics include spamming a target user with multi-factor authentication (MFA) prompts and calling the organization’s help desk to reset a target’s credentials.
Microsoft Threat Intelligence Center (MSTIC) assesses that the objective of: [Lapsus$] is to gain elevated access through stolen credentials that enable data theft and destructive attacks on a targeted organization, often resulting in extortion. Tactics and objectives indicate that this is a cyber criminal motivated by theft and destruction.
The group is known to use a number of different techniques for obtaining initial access, including paying employees, suppliers or business partners of target organizations for access to credentials and approval of multi-factor authentication (MFA), Microsoft researchers said.
In terms of targets, in several cases, Lapsus$ has “extorted victims to prevent the disclosure of stolen data, and in other cases, no extortion attempt has been made and DEV-0537 has publicly leaked the data they stole,” according to the Microsoft statement. researchers.
Microsoft source code
Microsoft researchers noted in the post that Lapsus$ had “made public claims that it had accessed Microsoft and exfiltrated portions of its source code.” On Telegram, Lapsus$ claimed to have posted the source code for Bing, Bing Maps and Cortana.
“No customer code or data was involved in the observed activities. Our investigation revealed that a single account was compromised, allowing restricted access,” the researchers said.
Microsoft’s cyber response teams quickly reinstated the compromised account and halted further operations, the blog said.
“Our team was already investigating the compromised account based on threat intelligence when the actor made his intrusion public,” the researchers said. “This public disclosure escalated our action allowing our team to step in and interrupt the actor midway through surgery, limiting its broader impact.”
Microsoft added that it “does not rely on code secrecy as a security measure and viewing the source code does not increase the risk.”
VentureBeat’s mission is to be a digital city square for tech decision makers to learn about transformative business technology and transactions. Learn more
This post Microsoft makes findings on hacker group Lapsus$ . known
was original published at “https://venturebeat.com/2022/03/22/microsoft-discloses-its-findings-on-hacker-group-lapsus/”