Microsoft was indeed hacked by South American hacker team Lapsus$, the software giant admitted in a blog post and lengthy analysis yesterday (March 22).
“Our investigation revealed that only one account was compromised, granting limited access,” Microsoft said. “No customer code or data was involved in the observed activities.”
As to whether this intrusion, which resulted in the theft of an alleged 37 GB of source code belonging to Bing, Bing Maps and Cortana, would compromise the security of Microsoft software or customers, the company strongly denied.
A risk for you? No, says Microsoft
“Microsoft does not rely on code secrecy as a security measure,” the blog post states, “and viewing source code does not result in increased risk.”
Of course, that’s what you expect from a hacked company. And there’s certainly some skepticism online about Microsoft’s insistence that it wasn’t a big deal.
“We weren’t hacked. “There was a hacking attempt. “We were hacked, but that’s okay. “2.5% of you have been hacked. we have been hacked.March 23, 2022
We’re inclined to give Microsoft the benefit of the doubt here, but you can bet security experts will be looking into the stolen code Lapsus$ has posted online to see if there’s a way to exploit it. (The source code for Windows, Office, and other office software does not appear to have been among the stolen data.)
Until we know more, we urge you to keep all your Microsoft software up to date and maintain other security “best practices”, such as using one of the best password managers and one of the best antivirus programs.
How did the hackers get in?
Microsoft hasn’t said exactly how Lapsus$, which Microsoft calls “DEV-0537”, got into its systems. But he provided a lengthy and interesting analysis of Lapsus$’s methods and goals, which is unusual.
Unlike other criminal groups, Microsoft noted, Lapsus$ likes to make a lot of noise and acts as if media attention matters more than money.
“DEV-0537 is known to use an extortion and pure destruction model without deploying ransomware payloads,” the company said. The goal “is to gain elevated access through stolen credentials that enable data theft and destructive attacks against a targeted organization.”
The Crew has its own public Telegram channel where it announces hacks and refutes claims from hacked organizations, for example a point-by-point rebuttal yesterday of identity management firm Okta’s analysis of its own Lapsus$ hack.
Last month, Lapsus$ attacked graphics card maker Nvidia and demanded that the company provide driver software to enable easier cryptocurrency mining.
Confidence tips and gains
We have to confess a grudging admiration for Lapsus$, which seems capable of carrying out high-profile data breaches – Samsung has also been hacked – without using sophisticated malware or spy movie techniques. Instead, Lapsus$ relies on old-fashioned corruption and trickery and an understanding of human nature.
“Their tactics include social engineering over the phone,” such as convincing help desk staff to reset passwords, Microsoft wrote.
Other Lapsus$ methods include “swapping SIM cards to facilitate account takeover; accessing personal email accounts of employees of target organizations; paying employees, vendors, or business partners of organizations targets for credential access and Multi-Factor Authentication (MFA) approval; and intrusion into their targets’ ongoing crisis communications calls.”
Once Lapsus$ enters a targeted organization, Microsoft added, it “creates global administrator accounts in the organization’s cloud instances, sets an Office 365 tenant-level mail transport rule to send all incoming and outgoing messages from the organization to the newly created account, and then removes all other global admin accounts, so that only the actor has exclusive control of cloud resources, thereby blocking the organization from all access. “
It’s already pretty epic. But Lapsus$ then takes it to the next level, infiltrating the hacked organization’s own internal discussions about how to respond to Lapsus$’s intrusion.
It will join “crisis communication calls and internal organization chat rooms (Slack, Teams, conference calls and others) to understand the incident response workflow and their corresponding response,” Microsoft said.
“This group understands the interconnected nature of identities and trust relationships in modern technology ecosystems and targets telecommunications, technology, IT services and support businesses – to leverage their access from an organization to access to partner organizations or suppliers.”