Cyber Incident Victim: Microsoft
Date:
Mar 2022
Location:
United States of America
Summary
Microsoft confirmed a breach by the Lapsus$ extortion group, which compromised an employee account to access internal source code repositories, including projects for Bing, Cortana, and Bing Maps. The attackers leveraged stolen credentials obtained via methods such as deploying the Redline password stealer, purchasing credentials on underground forums, bribing employees for access, and scanning public repositories for exposed data. They bypassed multi-factor authentication through session replay attacks and SIM swapping, then escalated privileges using tools like AD Explorer to target development platforms like SharePoint and Azure DevOps. The group exfiltrated data via NordVPN while monitoring internal communication channels, though no customer data was affected.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 22, 2022, Microsoft confirmed a security breach involving the Lapsus$ extortion group, which compromised a single employee account to access portions of its source code repositories. The intrusion occurred prior to March 21, when Lapsus$ publicly released 37GB of stolen source code from Microsoft’s Azure DevOps server, affecting internal projects including Bing, Cortana, and Bing Maps. Microsoft’s cybersecurity response teams had already initiated an investigation based on threat intelligence before the public disclosure, enabling them to intervene and terminate the active compromise. The company stated the breach provided only limited access and emphasized no customer code or data was exposed. Remediation efforts focused on disabling the compromised account to prevent further unauthorized activity. Microsoft downplayed the operational risk, asserting that source code visibility alone does not elevate security risks as their defenses do not rely on code secrecy.
Lapsus$, tracked by Microsoft as DEV-0537, employed credential-based tactics for initial network access. The group acquired credentials through multiple methods: deploying the Redline password stealer malware via phishing, watering holes, and fraudulent YouTube videos; purchasing credentials and session tokens on underground forums; bribing employees or suppliers for access; and scanning public repositories for exposed secrets. Once authenticated, attackers targeted public-facing systems like VPNs, virtual desktops, and identity management services, circumventing multi-factor authentication (MFA) through session replay attacks or MFA fatigue—spamming approval requests until users acquiesced. In one instance, they executed a SIM swap attack to intercept SMS-based MFA codes. After gaining entry, Lapsus$ used Active Directory Explorer to escalate privileges and infiltrated development platforms like SharePoint, Confluence, JIRA, Slack, and Microsoft Teams to harvest additional credentials. They exploited vulnerabilities in Confluence, JIRA, and GitLab to compromise privileged accounts, subsequently accessing source code repositories on GitHub, GitLab, and Azure DevOps. Data exfiltration occurred via NordVPN to obscure origins, while destructive attacks triggered incident response procedures that the group monitored through compromised communication channels like Teams or Slack. Microsoft’s investigation revealed these tactics aligned with DEV-0537’s broader pattern of targeting enterprises, including prior attacks on NVIDIA, Samsung, and Okta.