Microsoft Confirms That They Got Pwned By LAPSUS$

Microsoft last night confirmed that they were indeed pwned by the LAPSUS$ group, or DEV-0537 as Microsoft calls them after the extortion group released 37GB of source code from Microsoft’s Azure DevOps server. The source code is for various internal Microsoft projects, including for Bing, Cortana and Bing Maps as I described in this story from yesterday.

This week, the actor made public claims that they had gained access to Microsoft and exfiltrated portions of source code. No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity. Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk. The tactics DEV-0537 used in this intrusion reflect the tactics and techniques discussed in this blog. Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.

If a company as big as Microsoft can get pwned, then nobody is safe.

Saryu Nayyar, CEO and Founder, Gurucul had this to say:

“Gurucul Labs has done extensive research over many years where we see an Insider Threat quickly becomes apparent as an External Threat and are often not mutually exclusive. This has been more common when insiders are recruited by external groups based on nation-state attack objectives seeking to gain access to networks, steal intellectual property or gain further intelligence on individuals. This is a dangerous and emerging situation where rather than through some combination of blackmail, patriotism, and financial incentives, The Lapsus$ ransomware group has determined that the financial incentive is significant enough to “turn” an insider. Recruiting insiders for stealing sensitive data and executing ransomware, with this combined impact being referred to as a “double extortion” campaign, can be extraordinarily difficult to detect for most XDR and SIEM solutions because they lack the analytics and machine learning models to identify both internal and external malicious activity as being part of the same attack. Customers need the unique approach of combining traditional security analytics, Network Traffic Analytics (NTA), User Entity Behavior Analytics (UEBA) and Identity Access Analytics (IAA) with a risk prioritization engine to determine if users are violating their access privileges in terms of resources and applications, transpiring in any unusual activity based on their role and entitlements, or suspiciously communicating with external parties.  The right solution can enable security teams to escalate in real-time with the necessary context and risk priority in order for the organization to take precise and swift action. Even if the attack has progressed rapidly, it is still important to understand communications and transactional data flow that is indicative of data exfiltration and allow for rapid response to shut it down immediately.”

Peter Stelzhammer, Co-Founder, AV-Comparatives had this to add:

“Even as single sign-on solutions are on the rise, there are some downsides with them, as well with other systems like password managers. It sounds promising to memorize only one password like your master password, but it comes with a downside. In the past years we have seen LastPass, Dashlane, 1Password, Keeper, Onelogin and KeePass with vulnerabilities.  Not all of them lead to breaches, but it shows the dangerousness. Cyber criminals are now on the way to attack the superordinate units instead of the low-level single password of the user. This shows how dependent we all are, from proper coding and vulnerabilities research, full single sign on solutions and password managers. Of course, the best would be using different 20-character passwords with special characters and numbers as well as different login names, but that’s not convenient nor practical. Even with biometric access you fall into a trap. What we have to do is watch the tools we use for vulnerabilities.”

This should serve as a big wake up call that cybersecurity is no longer optional. Because in this case, Microsoft got pwned. Which means that you could be next if you don’t take action now.

UPDATE: Darren Williams, CEO and Founder of BlackFog offers this additional perspective:

“The attack on Microsoft follows the typical pattern we are seeing from the Lapsus$ extortion gang including the recent attack on computer hardware manufacturer Nividia. The Lapsus$ gang in particular has ramped up attacks in March, and which further highlights that the traditional defensive approaches that have been historically relied on are failing organizations today. Perimeter defense tactics are insufficient when it comes to preventing these attacks and the inevitable data exfiltration. The growing importance of anti-data exfiltration techniques must be considered when it comes to preventing these catastrophic losses in the future.”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: