Microsoft confirmed that it has been breached by the hacker group Lapsus$, adding to the cyber gang's growing list of victims.
This hacker group is a bit different, according to Microsoft, because it doesn’t seem to cover its tracks. Sometimes it announces the hack on social media or advertises its intent to buy credentials from employees of target organizations.
The group also uses several tactics that are less frequently used by others tracked by Microsoft, such as phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets.
Microsoft explains in a blog post that Lapsus$ had compromised one of its accounts, resulting in what it describes as limited access to company systems, but not the data of any Microsoft customers. The group also is known by the name DEV-0537.
“DEV-0537 started targeting organizations in the United Kingdom and South America but expanded to global targets, including organizations in government, technology, telecom, media, retail, and healthcare sectors,” Microsoft wrote in a blot post.
DEV-0537 also is known to take over individual user accounts at cryptocurrency exchanges to drain cryptocurrency holdings.
Microsoft said DEV-0537 uses a variety of methods focused on compromising user identities to gain initial access to an organization such as searching public code repositories for exposed credentials, or paying employees at targeted organizations, suppliers or business partners for access to credentials and MFA approval.
The disclosure comes after the group claimed credit for compromising Okta, a digital identity management firm that adds authentication services to applications. On Tuesday evening, following an investigation into those claims, Okta acknowledged that hundreds of its customers may have been affected by a breach in January linked to one of Okta's outside contractors.