Microsoft has confirmed the hacking gang LAPSUS$ was able to compromise an account with limited access, but that it has left the question of source code exfiltration hanging in the air.
"No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity," Microsoft said.
"Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.
"Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact."
On Tuesday, LAPSUS$ posted a torrent file claiming to contain source code from Bing, Bing Maps, and Cortona.
"Bing maps is 90% complete dump. Bing and Cortana around 45%," the group said.
Microsoft's confirmation of the compromise was contained in a blog post, which listed the techniques of the group.
"Their tactics include phone-based social engineering: SIM-swapping to facilitate account takeover, accessing personal email accounts of employees at target organizations, paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication approval; and intruding in the ongoing crisis-communication calls of their targets," Microsoft said.
"Tactics and objectives indicate this is a cybercriminal actor motivated by theft and destruction."
The group, named DEV-0537 by Microsoft, has been observed using vulnerabilities in Confluence, JIRA, and GitLab to elevate privileges, calling helpdesks to get passwords reset, stealing Active Directory databases, and making use of NordVPN to appear as though they are in similar geography to targets.
"If they successfully gain privileged access to an organization's cloud tenant (either AWS or Azure), DEV-0537 creates Global Admin accounts in the organization's cloud instances, sets an Office 365 tenant level mail transport rule to send all mail in and out of the organization to the newly-created account, and then removes all other Global Admin accounts, so only the actor has sole control of the cloud resources, effectively locking the organization out of all access," Microsoft said.
"After exfiltration, DEV-0537 often deletes the target's systems and resources. We've observed deletion of resources both on-premises (for example, VMWare vSphere/ESX) and in the cloud to trigger the organization's incident and crisis response process."
The group has also used internal messaging services to understand how victims are reacting.
"It is assessed this provides DEV-0537 insight into the victim's state of mind, their knowledge of the intrusion, and a venue to initiate extortion demands," Microsoft said.
"Notably, DEV-0537 has been observed joining incident response bridges within targeted organizations responding to destructive actions. In some cases, DEV-0537 has extorted victims to prevent the release of stolen data, and in others, no extortion attempt was made and DEV-0537 publicly leaked the data they stole."
In the past 24 hours, LAPSUS$ also claimed making a hit on Okta. In response, Okta said the group had access to a support engineer's laptop over a five-day period.
Retorting to Okta, the group said the compromised device was a thin client, and it gained access to a superuser portal that could reset the password and multifactor authentication of 95% of clients.
"For a company that supports zero-trust, support engineers seem to have excessive access to Slack? 8.6k channels?" the group said.
"The potential impact to Okta customers is NOT limited, I'm pretty certain resetting passwords and MFA would result in complete compromise of many clients systems."
The group called on Okta to hire a cybersecurity firm and to publish any report they complete. It also claimed Okta was storing AWS keys within Slack.