The activity we have observed has been attributed to a threat
group that Microsoft tracks as DEV-0537, also known as LAPSUS$.
DEV-0537 is known for using a pure extortion and destruction model
without deploying ransomware payloads. DEV-0537 started targeting
organizations in the United Kingdom and South America but expanded
to global targets, including organizations in government,
technology, telecom, media, retail, and healthcare sectors.
DEV-0537 is also known to take over individual user accounts at
cryptocurrency exchanges to drain cryptocurrency holdings.
Unlike most activity groups that stay under the radar, DEV-0537
doesn’t seem to cover its tracks. They go as far as announcing
their attacks on social media or advertising their intent to buy
credentials from employees of target organizations. DEV-0537 also
uses several tactics that are less frequently used by other threat
actors tracked by Microsoft. Their tactics include phone-based
social engineering; SIM-swapping to facilitate account takeover;
accessing personal email accounts of employees at target
organizations; paying employees, suppliers, or business partners
of target organizations for access to credentials and multifactor
authentication (MFA) approval; and intruding in the ongoing
crisis-communication calls of their targets.
This week, the actor made public claims that they had gained
access to Microsoft and exfiltrated portions of source code. No
customer code or data was involved in the observed activities. Our
investigation has found a single account had been compromised,
granting limited access. Our cybersecurity response teams quickly
engaged to remediate the compromised account and prevent further
activity. Microsoft does not rely on the secrecy of code as a
security measure and viewing source code does not lead to
elevation of risk. The tactics DEV-0537 used in this intrusion
reflect the tactics and techniques discussed in this blog. Our
team was already investigating the compromised account based on
threat intelligence when the actor publicly disclosed their
intrusion. This public disclosure escalated our action allowing
our team to intervene and interrupt the actor mid-operation,
limiting broader impact.