--> Microsoft confirms LAPSUS$ hit account with limited access after gang released alleged Bing and Cortana source

$type=slider$meta=0$snip=0$rm=0

Microsoft confirms LAPSUS$ hit account with limited access after gang released alleged Bing and Cortana source

Microsoft has confirmed that a lapsus$ account with limited access was opened on Wednesday after a hacker gang released an alleged Bing and Cortana so



Microsoft has confirmed the hacking gang LAPSUS$ was able to compromise an account with limited access, but that it has left the question of source code exfiltration hanging in the air.

"No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity," Microsoft said.

"Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.

"Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact."

On Tuesday, LAPSUS$ posted a torrent file claiming to contain source code from Bing, Bing Maps, and Cortona.

"Bing maps is 90% complete dump. Bing and Cortana around 45%," the group said.

Microsoft's confirmation of the compromise was contained in a blog post, which listed the techniques of the group.

"Their tactics include phone-based social engineering: SIM-swapping to facilitate account takeover, accessing personal email accounts of employees at target organizations, paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication approval; and intruding in the ongoing crisis-communication calls of their targets," Microsoft said.

"Tactics and objectives indicate this is a cybercriminal actor motivated by theft and destruction."

The group, named DEV-0537 by Microsoft, has been observed using vulnerabilities in Confluence, JIRA, and GitLab to elevate privileges, calling helpdesks to get passwords reset, stealing Active Directory databases, and making use of NordVPN to appear as though they are in similar geography to targets.

"If they successfully gain privileged access to an organization's cloud tenant (either AWS or Azure), DEV-0537 creates Global Admin accounts in the organization's cloud instances, sets an Office 365 tenant level mail transport rule to send all mail in and out of the organization to the newly-created account, and then removes all other Global Admin accounts, so only the actor has sole control of the cloud resources, effectively locking the organization out of all access," Microsoft said.

"After exfiltration, DEV-0537 often deletes the target's systems and resources. We've observed deletion of resources both on-premises (for example, VMWare vSphere/ESX) and in the cloud to trigger the organization's incident and crisis response process."

The group has also used internal messaging services to understand how victims are reacting.

"It is assessed this provides DEV-0537 insight into the victim's state of mind, their knowledge of the intrusion, and a venue to initiate extortion demands," Microsoft said.

"Notably, DEV-0537 has been observed joining incident response bridges within targeted organizations responding to destructive actions. In some cases, DEV-0537 has extorted victims to prevent the release of stolen data, and in others, no extortion attempt was made and DEV-0537 publicly leaked the data they stole."

In the past 24 hours, LAPSUS$ also claimed making a hit on Okta. In response, Okta said the group had access to a support engineer's laptop over a five-day period.

Retorting to Okta, the group said the compromised device was a thin client, and it gained access to a superuser portal that could reset the password and multifactor authentication of 95% of clients.

"For a company that supports zero-trust, support engineers seem to have excessive access to Slack? 8.6k channels?" the group said.

"The potential impact to Okta customers is NOT limited, I'm pretty certain resetting passwords and MFA would result in complete compromise of many clients systems."

The group called on Okta to hire a cybersecurity firm and to publish any report they complete. It also claimed Okta was storing AWS keys within Slack.

 

Subscribe to Aero Nord Blog by Email

COMMENTS

Get notifications from this blog

Get notifications from this blog

Contact Form

Name

Email *

Message *

Name

Apple,6,Cars,4,Computing,4,Crypto,1,Gaming,11,Google,4,HowTos,5,iPhone,1,Mobile,13,Mobile Reviews,2,Monitor,2,Motorola,1,Movie,8,News,8,OnePlus,1,PlayStation,4,Samsung,3,Smart Tech,3,Venom,1,Windows,3,Xbox,10,
ltr
item
Aero Nord Blog | Tech, Gaming, and Mobile Guides: Microsoft confirms LAPSUS$ hit account with limited access after gang released alleged Bing and Cortana source
Microsoft confirms LAPSUS$ hit account with limited access after gang released alleged Bing and Cortana source
Microsoft has confirmed that a lapsus$ account with limited access was opened on Wednesday after a hacker gang released an alleged Bing and Cortana so
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2JKvceYzwIMwIR_3VVOgxwtb0IFGYRMunkYuDOzee8TaqaaiPWt9I7pFgbqQuXc_1dQkfAA-i7OxWAHPVdMFQt4LWCt6zcT_vzbFixOrdAmkErkrPYKPmOAfGfnU2ntUNPVHMNFslSmkc42_DHsLZyJaC43mVnz6Rtg5dYUR2OmkZ4OPUphoCQLeX5A/s16000/zd-2022-microsoft-azure.webp
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2JKvceYzwIMwIR_3VVOgxwtb0IFGYRMunkYuDOzee8TaqaaiPWt9I7pFgbqQuXc_1dQkfAA-i7OxWAHPVdMFQt4LWCt6zcT_vzbFixOrdAmkErkrPYKPmOAfGfnU2ntUNPVHMNFslSmkc42_DHsLZyJaC43mVnz6Rtg5dYUR2OmkZ4OPUphoCQLeX5A/s72-c/zd-2022-microsoft-azure.webp
Aero Nord Blog | Tech, Gaming, and Mobile Guides
https://aeronordblog.blogspot.com/2022/03/microsoft-confirms-lapsus-hit-account.html
https://aeronordblog.blogspot.com/
https://aeronordblog.blogspot.com/
https://aeronordblog.blogspot.com/2022/03/microsoft-confirms-lapsus-hit-account.html
true
2082492273612468039
UTF-8
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share to a social network STEP 2: Click the link on your social network Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy Table of Content