Microsoft Says Lapsus$ Hackers Gained ‘Limited Access’ to a Single Account – CNET

James Martin/CNET

The attack came as data breaches are on the rise across all industries. In 2021, data breaches jumped 68% year over year to the highest total ever, according to a report by the Identity Theft Resource Center.
Microsoft confirmed Tuesday that an attack connected to the Lapsus$ hacking group gained “limited access” to a single account, adding that its security teams interrupted the effort.
“DEV-0537 is known for using a pure extortion and destruction model without deploying ransomware payloads,” according to a blog post Tuesday on Microsoft Threat Intelligence Center. “DEV-0537 is also known to take over individual user accounts at cryptocurrency exchanges to drain cryptocurrency holdings.”
The revelation comes after the South American hacking group, which has been linked to data breaches at Samsung and Nvidia, said Monday that it had hacked Microsoft and obtained partial source code for Microsoft products Bing, Bing Maps and Cortana. Microsoft said its investigators have for weeks been tracking the group, which it calls DEV-0537, as it attacked government, technology, telecom, media, retail and health care sectors around the world.
“Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion,” the blog post said. “This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.”
Microsoft said the group’s tactics include phone-based social engineering, SIM-swapping, and paying employees and vendors at targeted organizations for access to credentials. Lapsus$ doesn’t seem concerned with hiding its activity, Microsoft said, adding that the hackers go so far as to advertise for credentials and to use social media to announce their attacks.
DEV-0537 also claimed responsibility for a data breach attempt in January of identity authentication giant Okta. However, Okta CEO Todd McKinnon said Tuesday that the January event was “contained” and that it had no evidence of ongoing malicious activity since then.