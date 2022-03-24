As we mentioned recently, Lapsus$ took credit for breaking into Microsoft systems and have stolen up to 37 GB of confidential information. Among this data was source code for services such as Bing, Bing Maps, and Cortana. However, it has not been until now when we have seen the confirmation from Microsoft.

Through an entry on its official blog, the Redmond-based company confirms having been violated by the group ‘DEV-0537’, better known as Lapsus$. Microsoft has been investigating the incident, and after studying it, they have confirmed that only one account was compromised: The one used to gain access to your systems.

The use of social engineering to obtain access credentials

According to the company, access was limited, and the Microsoft security team locked the account to prevent further activity.

The Microsoft Threat Intelligence Center (MSTIC) assesses that the goal of DEV-0537 is to gain elevated access through stolen credentials that enable data theft and destructive attacks directed at an organization, often resulting in extortion. The tactics and objectives indicate that this is a cybercriminal actor motivated by theft and destruction.





As they reflect well from Microsoft, the modus operandi by Lapsus$. And it is that through social engineering, focus on obtaining account credentials with access to company information. The investigation carried out by Microsoft leaves some clues about the methods that this hacker group has at its disposal to achieve its objective. The company summarizes it in four points:

Implementation of Redline malware to obtain passwords and session tokens.

The purchase of credentials and session tokens through criminal underground forums.

Paying employees of target organizations (or vendors/business partners) to access credentials and approval of multi-factor authentication (MFA) mechanisms.

Searching public repositories for leaked credentials.

We have already talked about Redline, a malware that, together with various phishing techniques, it is possible to steal a user’s credentials. To do this, cybercriminals usually insert this malware in emails or websites of dubious origin. Once Lapsus$ obtains the credentials, it uses them to break into its target’s systems and steal the information. The hacker group managed to break into the administration services of companies such as NVIDIA, Samsung, LG, Okta, and now Microsoft, through these types of methods.

By breaking into systems, cybercriminals can take advantage of VPN services, remote control, virtual desktop infrastructures, or identity providers, such as Azure Active Directory or Okta. What’s more, To get around the restriction of MFA systems, Microsoft says they typically use two main techniques: By repeating the session tokens, and through stolen passwords to activate the MFA messages as many times as necessary until the user gives in.

From Microsoft they affirm that Lapsus$ does not hide his tracks, and that each movement is usually publicized, in this case on its Telegram channel and other social networks. In addition, they do not hide in announcing the need to recruit employees or insiders of companies that interest them.