Microsoft confirmed that it has been breached by the hacker group Lapsus$, adding to the cyber gang's growing list of victims.
This hacker group is a bit different, according to Microsoft,
because it doesn’t seem to cover its tracks. Sometimes it announces the hack on social media or advertises its intent to buy credentials from employees of target organizations.
The group
also uses several tactics that are less frequently used by others tracked by Microsoft, such as phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email
accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval; and
intruding in the ongoing crisis-communication calls of their targets.
Microsoft explains in a blog post that Lapsus$ had compromised one of its accounts, resulting in what it describes as
limited access to company systems, but not the data of any Microsoft customers. The group also is known by the name DEV-0537.
“DEV-0537 started targeting organizations in the United
Kingdom and South America but expanded to global targets, including organizations in government, technology, telecom, media, retail, and healthcare sectors,” Microsoft wrote in a blot post.
DEV-0537 also is known to take over individual user accounts at cryptocurrency exchanges to drain cryptocurrency holdings.
Microsoft said DEV-0537 uses a variety of methods focused on
compromising user identities to gain initial access to an organization such as searching public code repositories for exposed credentials, or paying employees at targeted organizations, suppliers or
business partners for access to credentials and MFA approval.
The disclosure comes after the group claimed credit for compromising Okta, a digital identity management firm that adds
authentication services to applications. On Tuesday evening, following an investigation into those claims, Okta acknowledged that hundreds of its customers may have been affected by
a breach in January linked to one of Okta's outside contractors.