Earlier this week, we learned that Microsoft had been hacked by the same group behind recent cyberattacks on Nvidia and Samsung, both of which resulted in significant leaks. Microsoft has now confirmed the breach, and has begun investigating the group known as LAPSUS$.
As previously confirmed, the group did manage to obtain source code for Bing, Bing Maps and Cortana. However, no customer code or data was accessed during the breach. While Microsoft does have to live with the leaks, the company has gained a substantial amount of information on the group behind the attack and will continue to monitor its activities.
“Microsoft Security teams have been actively tracking a large-scale social engineering and extortion campaign against multiple organizations with some seeing evidence of destructive elements. As this campaign has accelerated, our teams have been focused on detection, customer notifications, threat intelligence briefings, and sharing with our industry collaboration partners to understand the actor’s tactics and targets.”
Throughout this process, Microsoft has “improved” its ability to track the group and help customers protect against active intrusions. In some instances, Microsoft says it has worked with organisations to stop attacks before any data theft can take place.
Microsoft is referring to the group as “DEV-0537” and after some investigation, they have found that the group often uses the extortion and destruction model without deploying ransomware payloads. Microsoft also says the group “doesn't seem to cover its tracks” and often use social engineering tactics to gain access to accounts.
The full blog post goes into great detail on the methods used by this group, other attacks it has conducted and ways organisations can protect themselves.
KitGuru Says: Microsoft was breached through a single account with limited access, which explains the limited contents of the leaks.