Microsoft discloses its findings on hacker group Lapsus$

Did you miss the session at the Data Summit? See on-demand here.


According to Microsoft security researchers, the dangerous actor, known as Lepsus 2, works with a “pure extortion and destruction model” and, unlike other hacker groups, “does not cover his tracks.”

Lapsus claims to have breached and leaked data from a number of major tech vendors in the past month. In recent days, the group claims to have used its telegram account to leak Microsoft source code and post screenshots taken after breach of identity and access management vendor Octa’s third-party provider.

In a blog post today, Microsoft researchers acknowledged that the threat group had gained “limited access” to its systems. An Octa executive also admitted today that the attacker had access to a customer support engineer’s account for five days in January, working for a third-party provider.

In recent weeks, vendors including Nvidia and Samsung Electronics have confirmed data theft by a threatening actor.

The Microsoft blog post says that the company’s researchers were tracking the Lapsus $, which they call DEV-0537, just before the alleged leak of the source code this week.

Blog Highlights:

  • Lepsus છે has been responsible for “massive social engineering and extortion campaigns” in recent weeks, and joins the “unique mix of tradecraft”.
  • The group “is known to use pure extortion and destruction models without deploying ransomware payloads.”
  • Lapsus 2 was launched targeting organizations in the UK and South America (the group is thought to be operating outside of South America). But it has “expanded to global targets, including organizations in the government, technology, telecom, media, retail and healthcare sectors.”
  • Lapsus $ “Also known for taking individual user accounts on cryptocurrency exchanges to drain cryptocurrency holdings.”

Does not cover its tracks

Notably, “unlike most activity groups that live under the radar, Lapsus $” does not cover its tracks, “said Microsoft researchers.

The researchers said in the post that “they announce their attacks on social media or their intention to buy credentials from employees of target organizations.”

The social engineering and “identity-centric tactics” used by the group “require search and response processes similar to internal risk programs,” Microsoft said in a post, but also included shorter response timelines required to address malicious external threats. Happens. “

From the post:

The artists behind DEV-0537 focused on their social engineering endeavors to gather knowledge about their target business operations. Such information includes close knowledge of end-users, team structures, help desks, emergency response workflows, and supply chain relationships. Examples of these social engineering tricks include spamming the target user with a Multifactor Authentication (MFA) prompt and calling the organization’s helpdesk to reset the target credentials.

The Microsoft Threat Intelligence Center (MSTIC) assesses its purpose [Lapsus$] Gaining elevated access through stolen credentials enables data theft and destructive attacks against the target organization, which often results in extortion. The tricks and motives suggest that this is a cyber criminal actor driven by theft and destruction.

According to Microsoft researchers, the group is known to use many different techniques to gain early access, including “employees’ credentials and employees who pay for multifactor authentication (MFA) approvals of organizations, suppliers or business partners.”

In terms of goals, in many cases, Lapsus $ “extorts from victims to prevent the release of stolen data, and in others, no extortion attempts are made and DEV-0537 publicly leaks the data they steal,” Microsoft said. Said the researchers.

Microsoft source code

Microsoft researchers noted in the post that Lapsus “” made public claims that they gained access to Microsoft and leaked parts of the source code. ” On the telegram, Lapsus દ claimed to have posted source code for Bing, Bing Maps and Cortana.

“No customer code or data was involved in the observed activities. Our investigation found that only one account was compromised, which gives limited access, “the researchers said.

Microsoft’s cyber response teams quickly intervened in the compromised account, blocking further activity, according to the blog.

“Our team was already investigating a compromised account based on dangerous intelligence when the actor publicly disclosed his intrusion,” the researchers said. “This public announcement increased our action, allowing our team to intervene and interrupt mid-operation, limiting the wider impact.”

Microsoft added that it “does not rely on the confidentiality of the code as a security measure and does not increase the risk by viewing the source code.”

Venturebeat’s mission Transformative Enterprise is about to become a digital town square for technology decision makers to gain knowledge about technology and transactions. Learn more

Similar Posts

Leave a Reply

Your email address will not be published.