“No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity,” Microsoft says. “Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk. “Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.”
Attack
Lapsus earlier published a torrent file online containing what the group claims is source code for Bing, Bing Maps, and Cortana. According to the threat actor, Bing and Cortana were 45% dumps and Bing Maps was a 90% source code dump. Microsoft explains how Lapsus was able to gain access to the data: “Their tactics include phone-based social engineering: SIM-swapping to facilitate account takeover, accessing personal email accounts of employees at target organizations, paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication approval; and intruding in the ongoing crisis-communication calls of their targets,” Microsoft said. “Tactics and objectives indicate this is a cybercriminal actor motivated by theft and destruction.” It is worth noting Microsoft does not call the group Lapsus, instead calling it DEV-0537. “If they successfully gain privileged access to an organization’s cloud tenant (either AWS or Azure), DEV-0537 creates Global Admin accounts in the organization’s cloud instances, sets an Office 365 tenant level mail transport rule to send all mail in and out of the organization to the newly-created account, and then removes all other Global Admin accounts, so only the actor has sole control of the cloud resources, effectively locking the organization out of all access,” Microsoft points out. “After exfiltration, DEV-0537 often deletes the target’s systems and resources. We’ve observed deletion of resources both on-premises (for example, VMWare vSphere/ESX) and in the cloud to trigger the organization’s incident and crisis response process.” Lapsus has already been responsible for numerous breaches this year, such as against Vodafone and Samsung. Earlier this month, the group leaked a possible source code for the NVIDIA DLSS feature following a week-long data breach. Tip of the day: Did you know that your data and privacy might be at risk if you run Windows without encryption? A bootable USB with a live-linux distribution is often just enough to gain access to all of your files. If you want to change that, check out our detailed BitLocker guide where we show you how to turn on encryption for your system disk or any other drive you might be using in your computer.