Microsoft (MSFT) - Get Free Report confirmed that it has become the latest victim of the data extortion group Lapsus$, which claimed it had obtained source code for the Bing search engine and Cortana voice assistant.
The software giant said in a blog post that a single account had been compromised, “granting limited access.”
Lapsus$, which Microsoft tracks as DEV-0537, posted a partial file that the group said contained partial source code for Bing and Cortana. The group claimed on its Telegram channel that it had breached Microsoft and Okta (OKTA) - Get Free Report and employee accounts of LG Electronics.
Okta said in a blog post that its service “is fully operational, and there are no corrective actions our customers need to take.”
“After a thorough analysis of these claims, we have concluded that a small percentage of customers – approximately 2.5% – have potentially been impacted and whose data may have been viewed or acted upon,” the post said. “We have identified those customers and are contacting them directly.”
The Telegram post described a “leak of some Bing, Bing Maps and Cortana source code—Bing maps is 90% complete dump, Bing and Cortana around 45%.
“Dump pf LG’s infrastructure confluence will be released soon,” the Telegram post said. “Might be a good idea to consider a new CSIRT team!”
“Unlike most activity groups that stay under the radar, DEV-0537 doesn’t seem to cover its tracks,” Microsoft said. “They go as far as announcing their attacks on social media or advertising their intent to buy credentials from employees of target organizations.”
The group, the post said, “is known for using a pure extortion and destruction model without deploying ransomware payloads.”
“DEV-0537 is also known to take over individual user accounts at cryptocurrency exchanges to drain cryptocurrency holdings,” Microsoft said.
Lapsus$ started targeting organizations in the United Kingdom and South America, Microsoft said, but expanded to global targets, including organizations in government, technology, telecom, media, retail, and healthcare sectors.
Last December, Brazil’s health ministry said its website was hacked by the group, and Impresa, Portugal’s largest media conglomerate, said in early January that the websites of its Expresso newspaper and SIC TV station had been hit.
Their tactics, Microsoft said, “include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets.”
“The actors behind DEV-0537 focused their social engineering efforts to gather knowledge about their target’s business operations,” the post said. “Such information includes intimate knowledge about employees, team structures, help desks, crisis response workflows, and supply chain relationships.”
Russian Cyber Threat
The breach comes shortly after a warning by President Joe Biden that the unprovoked invasion of Ukraine, and the resulting sanctions on aggressor Russia, may lead to a rash of cybersecurity breaches unleashed by the Kremlin and other quasi-official sources in Russia.
Cyber criminals are targeting the energy infrastructure in the U.S, including pipelines, refineries and power grids to attack their operations and supply chain systems, experts said.
Hackers have targeted oil and gas producers in the past, such as the attack of the Colonial Pipeline, the largest U.S. fuel pipeline that resulted in shortages along the East Coast in April 2021.
Lost business represented 38% of the overall average, the report said, and this included increased customer turnover, lost revenue due to system downtime and the increasing cost of acquiring new business due to diminished reputation.
Business email compromise was responsible for only 4% of breaches, but had the highest average total cost at $5.01 million.
The second costliest breach was phishing at $4.65 million, followed by malicious insiders at $4.61 million, social engineering at $4.47 million and compromised credentials at $4.37 million.