Microsoft confirms that LAPSUS$ accessed one of its accounts and downplays source code theft

Microsoft has confirmed the theft of source code for some of the technology company’s services, which was attributed a few days ago to the group of cybercriminals calling itself LAPSUS$ and shared it with through Telegram, after managing to compromise one of the company’s accounts.

Last Sunday, LAPSUS$ published a screenshot through this messaging application in which claimed to have accessed the Microsoft repositories hacking into an Azure DevOps server, a set of tools intended for developers.

Then, the group of hackers claimed to have stolen 90 percent of the data from Bing Maps and 45 percent of the data belonging to Microsoft’s search engine, Bing, and its Assistant, Cortana.

This data leak occurred after this same group of cybercriminals claimed responsibility for the theft of several electronic signature certificates from nvidia developers and internal Samsung information.

In recent days, Microsoft has observed activity that has been attributed to the LAPSUS$ group, which the company tracks as DEV-0537, and which is known to use “a model of extortion and destruction without deploying ransomware payloads,” it said in a statement.

After investigating the attack, the software developer has reported that “no client code or data was involved in the activities observed” and performed by DEV-0537.

Thus, it has determined that only one of its accounts has been compromised and that its security teams were able to limit the attack to avoid increased activity by cybercriminals.

And it has downplayed source code theft. “Microsoft does not rely on code secrecy as a security measure, and viewing source code does not lead to increased risk,” he said in the statement.

In addition, it has clarified that the team in charge of protecting the security of your data was already investigating the compromised account “and Based on threat intelligence” when LAPSUS$ publicly revealed his intrusion via Telegram.


On the other hand, Microsoft has explained what has been the journey that this group has had, which began to attack organizations in the United Kingdom and South America to expand later, as well as some of its “global goals”.

These targets “include organizations in the government, technology, telecommunications, media, retail, and healthcare sectors.”

However, it has insisted that DEV-0537 has also attacked anonymous users in the cryptocurrency exchanges and you have mentioned some of the methods you use to be able to hack into these devices.

Among them, those that include telephone-based social engineering, SIM swapping to facilitate the acquisition of accounts, access to personal emails or pay suppliers and business partners of target organizations to access credentials and multi-factor authentication (MFA) approval.

In his case, the Intelligence Center About Microsoft Threats (MSTIC) has determined that DEV-0537’s goal is to access your data via stolen credentials and that it is an “actor motivated by theft and destruction.”

Likewise, it has indicated that the tactics, techniques and procedures (TTP) of this group “constantly changing and evolving”, has detected a series of parameters in its behavior to compromise the identities of users and obtain free access to the different organizations that are susceptible to being attacked.

Among these methods is the implementation of the password stealer Redline, buying credentials and tokens on illegal forums, paying employees of target organizations and their MFA approval, as well as searching public code repositories for exposed passwords.

Once these credentials are stolen, DEV-0537 accesses systems and applications that typically include a virtual private network (VPN), virtual desktop infrastructure (VDI), such as Citrix, or identity providers (including Azure Active Directory and Okta).

For organizations using MFA security, DEV-0537 has previously used two techniques to circumvent their security system: replaying session tokens and using stolen passwords.

Through this theft, he has been able to activate the sending MFA notices so that legitimate users of compromised accounts, unaware of the manipulation of this authentication system, would grant the necessary authorization.

In some cases, LAPSUS$ has accessed victims’ personal accounts and prompted them to enter additional credentials that could be used to access corporate systems or their professional accounts.

Since employees generally use these personal accounts as a second factor for authentication or recovery of their passwords, the group of attackers has used these accesses to reset them and complete the account recovery system with other new credentials.

Other common methods of cybercriminals is the bribing employees, suppliers or partners business representatives of an organization who, for a fee, provide their credentials and pass multi-factor authentication.

Likewise, it has also offered them the option of downloading and installing remote control applications on their computers, such as AnyDesk, which would allow them to control the system.

In another of the observed attacks, Microsoft has highlighted that the DEV-0537 actors carried out a sim card exchange to access a user’s phone number before logging into your work or corporate network.

This method allows actors to handle the phone authentication requests they need to gain access to an organization. Therefore, once the standard user credentials or access were obtained, the attackers were able to access the VPN system of these organizations.

To circumvent security systems, in some cases, DEV-0537 joined its system to the cloud-based identity and access management service, Azure Active Directory (Azure AD) of the attacked corporations.

Finally, Microsoft has highlighted that, in its investigations, it has verified that LAPSUS$ uses AD Explorer a free and freely accessible tool, in most of its attacks.

It is an indicator that allows viewing, editing and browsing the databases, which the cybercriminals would have used to enumerate and recognize each of the users of the attacked networks.

Thanks to it, they can understand which are the accounts that have the greatest privileges, such as those of the directors or administrators of these companies.

In addition, they proceeded to seek collaboration platforms such as SharePoint O Confluence issue tracking solutions like JIRA, code repositories like GitLab and GitHub and collaboration channels from organizations such as Teams O Slack to discover more credentials and data to access sensitive information.

By Editor

Leave a Reply