The notorious hacker group Lapsus$ claimed that they were able to steal source codes of Bing, Bing Maps, and Cortona from the tech giant, Microsoft. Microsoft has announced that they were investigating the incident and finally confirmed the attack with a detailed blog post.
Microsoft stated that Lapsus$, tracked as DEV-0537, is using vulnerabilities in Confluence, JIRA, and GitLab to be able to elevate privileges. Microsoft also stated that the hackers used their social engineering skills to gather knowledge about business operations. Microsoft Threat Intelligence Center claims that the group is gaining elevated access through stolen credentials that enable data theft and destructive attacks.
DEV-0537 uses a variety of methods that are typically focused on compromising user identities to gain initial access to an organization including:
- Deploying the malicious Redline password stealer to obtain passwords and session tokens
- Purchasing credentials and session tokens from criminal underground forums
- Paying employees at targeted organizations (or suppliers/business partners) for access to credentials and MFA approval
- Searching public code repositories for exposed credentials
« This week, the actor made public claims that they had gained access to Microsoft and exfiltrated portions of source code. No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity. Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk. The tactics DEV-0537 used in this intrusion reflect the tactics and techniques discussed in this blog. Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact. »