Mar 23, 2022 11:09:00

Microsoft's source code is stolen by the hacker group 'LAPSUS $' and 37 GB is leaked to the net, Microsoft also admits hacking damage

In early March 2022, ``LAPSUS$'' is a hacking group that became famous for hacking

NVIDIA , a major semiconductor manufacturer, and Samsung , a home appliance manufacturer, and stealing confidential information. It was claimed that LAPSUS$ newly hacked Microsoft, but following this, Microsoft announced its own investigation results and revealed the details of hacking by LAPSUS$.

DEV-0537 criminal actor targeting organizations for data exfiltration and destruction - Microsoft Security Blog
https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/

Microsoft confirms Lapsus$ hackers stole source code via 'limited' access - The Verge
https://www.theverge.com/2022/3/22/22991409/lapsus-microsoft-security-windows-source-code

On March 20, 2022 local time, LAPSUS$ posted screenshots of Microsoft's internal source code repository on Telegram, claiming to have hacked Azure DevOps servers.

The LAPSUS$ extortion group has released source code to Bing, Bing Maps, and Microsoft Cortana.

They state that each release is incomplete (not the entire source code).

— vx-underground (@vxunderground) March 22, 2022

And on March 22, local time, Microsoft announced details of the hack received from LAPSUS$ on its security blog. According to this, Microsoft has designated LAPSUS$ as a threat actor 'DEV-0537' and has been independently observing its activity. According to Microsoft, DEV-0537 is known for using a pure extortion and destruction model without deploying a ransomware payload, and has targeted organizations in the United Kingdom and South America in cyberattacks. Recently, the range of attacks has been expanded to various fields such as government, technology, telecom, media, retail, and healthcare. In addition, LAPSUS$ is also known for hijacking user accounts via virtual currency exchanges and stealing virtual currencies held.

According to Microsoft, the DEV-0537 cyberattack is more aggressive than ever before, with the intent of the attack being publicized on social media and the intent to purchase credentials from employees of the targeted organizations. It is said that it is a thing. In addition, DEV-0537 seems to use several unique tactics not shown by other threat actors whose activities Microsoft is closely monitoring, one of which is telephone-based social engineering . Physically stealing SIM cards to facilitate user account takeover, direct access to the private email accounts of employees of targeted organizations, and targeting to obtain credentials and multi-factor authentication. There seems to be a wide variety of ways to do so, such as offering monetary rewards to employees, suppliers, and business partners of the organization.

Below is a screenshot of a Telegram post in which LAPSUS$ said it was 'ready to pay' corporate informants.

According to Microsoft, DEV-0537 obtains user account information, which is the starting point of cyberattacks, in various ways. It seems that there are also things such as 'send spam mail to' and 'contact the organization's help desk to reset the credentials of the user targeted by the attack'. It then gains access to the organization's cyber systems via the stolen user account credentials, allowing it to steal and destroy the target organization's data, and then extort the organization to demand a ransom. It seems that. Therefore, Microsoft asserts that 'DEV-0537 is a cybercriminal motivated by theft and destruction of data.'

Microsoft claims that the data DEV-0537 stole from the company did not contain any customer code or data. In addition, Microsoft claims that it does not rely on the confidentiality of the code used by the company as a security measure, and claims that even if some source code is leaked, the security risk will not increase. doing. In addition, due to the activities of DEV-0537, the access of the user account that seems to be the starting point of the cyber attack was restricted, and Microsoft's cyber security team responded quickly to the compromised account.

On the other hand, LAPSUS$ claims to have stolen the source code of more than 250 projects, including about 45% each of Bing and Cortana source code, and about 90% of Bing Map source code, of which about 37GB of source code. The code is published on the Internet. Although it is unknown whether this data is from Microsoft or not, a security researcher who investigated the leaked file told technology media Bleeping Computer, ``It looks like Microsoft's legitimate internal source code. It is said.

The image below is part of the data published by LAPSUS$, and you can see Microsoft product names such as 'Bing Map' and 'Cortana' in the folder name.

・Continued
A teenage suspect emerged as a central figure in the hacker group ``LAPSUS$'' that hacked Microsoft and others - GIGAZINE