Finishing | Zheng Liyuan
Produced | CSDN (ID: CSDNnews)
After NVIDIA and Samsung, the hacker organization Lapsus$ has started again! And this time it was Microsoft.
Last Sunday, Lapsus$ posted a screenshot on Telegram: the file names of "Azure DevOps", "Bing", "Cortana" in the upper left corner, etc., all of which show that it has successfully hacked Microsoft's Azure DevOps server and mastered it. Source code for Bing, Cortana, and various internal projects.
Then, on Monday, Lapsus$ directly disclosed a 9 GB compressed package, claiming that it contains the source code of more than 250 internal Microsoft projects, 90% of the Bing source code and 45% of the Bing Maps and Cortana. source code!
1. Microsoft: Admits hacking, but it’s not a big problem
According to security researchers, Lapsus$'s public archive, although only 9GB, should contain about 37GB of source code uncompressed, and some of the emails and documents also prove Lapsus$'s claims: "These emails and Documentation is clearly used by Microsoft engineers to publish mobile apps."
Through further research, the researchers also found that the source code leaked by Lapsus$ is mainly concentrated in Microsoft's Web-based infrastructure, websites or mobile applications, and does not disclose the source code of its desktop software such as Windows or Office.
In response to this, Microsoft responded with an official blog post on Tuesday: Indeed, an account has been compromised, but the source code leak is not a big problem (in the official blog post, Microsoft refers to Lapsus$ as DEV-0537).
This week, DEV-0537 publicly claimed that they had gained access to Microsoft and leaked some of the source code. But we observed that the hack did not involve customer code or data. Our investigation revealed that one account had been compromised with limited access, and our cybersecurity response team quickly repaired the compromised account and prevented further activity.
However, Microsoft does not use code secrecy as a security measure, so viewing the source code does not increase the risk. We have also comprehensively analyzed the strategies and technologies involved in the intrusion of DEV-0537. So when the attackers publicly disclosed their breaches, our team investigated the compromised accounts based on threat intelligence and intervened and interrupted directly to prevent the impact from escalating.
Microsoft claims that its investigative team has been tracking the Lapsus$ group in recent weeks and has figured out some of the methods and techniques they use to compromise targeted systems long before Lapsus$ leaked the code.
Microsoft probably isn't lying about this.
According to a screenshot of Lapsus$'s Telegram conversation provided by Twitter user @Soufiane Tahiri, it can be speculated that access may have been lost before it leaked Microsoft's source code: "Obviously they lost access, which means they may have It was discovered by Microsoft before the leaked data, haha!”
In response, some netizens agreed: "I also think that they lost access to the source code before they leaked it, so they chose to publish the source code."
In addition, some netizens ridiculed the source code leakage of Bing and Cortana:
"The Bing source code leak may be the first to cause negative damage, and Microsoft may see a 5x increase in traffic to Google searches for 'what is Bing'."
"Hacker: 'We're going to release the BING source code', and the whole world replies indifferently: 'Oh...'"
"Honestly, nobody wants the code for these bad projects..."
2. Hackers are suspected of bribing corporate employees?
Although Microsoft has said that leaking the project's source code does not pose a risk, it is not yet known whether Lapsus$ will have a next move.
With reference to the action taken by the hacker group against Nvidia last month, Lapsus$ may demand ransom from Microsoft, demand for open source core designs, etc.; but it may also, like Samsung, only disclose the sensitive data it obtained without making other demands.
Up to now, NVIDIA, Samsung, Microsoft, Vodafone and many other technology companies have been attacked by Lapsus$. Lapsus$ also posted a screenshot of the internal system of Okta on Telegram (Note: Okta is an authentication and identity management platform) - Once Lapsus$ successfully hacked the company, thousands of businesses around the world using Okta's services would be at risk.
But soon Okta's chief security officer responded in a timely manner: "Okta services have not been damaged and can still operate normally." Okta pointed out that the engineer's access rights stolen by Lapsus$ can only help users reset their passwords, but cannot obtain them. There is also no way to "download the customer database or create/delete users".
The number of companies affected by Lapsus$ is reminiscent of the equally influential SolarWinds hack a year ago (the SolarWinds Orion software update package was backdoored by hackers). But in contrast, the method by which Lapsus$ has repeatedly succeeded this time is unknown.
In the official blog post, Microsoft speculates on four possible ways to invade Lapsus$:
-
Malicious deployment of Redline password stealer to obtain passwords and session tokens
-
Buying Credentials and Session Tokens on Criminal Underground Forums
-
Purchase identity credentials and multi-factor authentication (MFA) from employees of the target organization (or vendor/business partner)
-
Search public code repositories for exposed credentials
Of the four approaches, many security researchers agree that Lapsus$ is the most likely to "buy employees of target companies to gain access." Lapsus$ has previously announced that it hopes to buy access to internal systems from corporate employees.
After gaining initial access, Lapsus$ steals sensitive information by exploiting vulnerabilities on internal servers, or by finding public credentials in code repositories and collaboration platforms for elevated privileges.
3. How to strengthen system security?
Since Lapsus$'s cyberattacks are hard to guard against, how can companies prevent them? In response to this problem, Microsoft has summarized a few suggestions for reference.
- Strengthen MFA (Multi-Factor Authentication) settings
According to the Microsoft security team, despite Lapsus$'s unsuccessful attempts to find vulnerabilities in MFA, MFA remains a key pillar in keeping corporate employees, suppliers and others with similar identities safe.
Microsoft recommends that users from anywhere, even from the local system, need to set up MFA, try to set complex passwords, and do not simply use the MFA method based on mobile verification codes, because the SIM card may also be hijacked.
- Secure access to devices
Enterprises need to identify safe and trusted devices accessing sensitive resources, and set up antivirus software to detect malware on the cloud.
- Enhanced monitoring of cloud security posture
Because Lapsus$ is good at using legitimate credentials to perform malicious operations on customers, and because the credentials are legitimate and difficult to detect, it is necessary to strengthen the monitoring of cloud security posture, such as checking conditional access users and session risk configuration, and user attempts to make high-risk modifications. Set up alerts for review and more.
The above are just some suggestions for "preventing problems before they happen". In the end, Microsoft still hopes that enterprises can establish a set of operational security procedures in advance to deal with the real intrusion of Lapsus$ and reduce the scope of impact as much as possible.
Reference link:
-
https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
-
https://www.bleepingcomputer.com/news/microsoft/lapsus-hackers-leak-37gb-of-microsofts-alleged-source-code/