Companies that have suffered from Lapsus’ attack include Samsung, NVIDIA, Vodafone, Ubisoft, Okta and Microsoft. The Lapsus group recently revealed the source code for multiple Microsoft applications, including Cortana, Bing, and Bing Maps. The Redmond giant has already acknowledged the hacking group’s attack. The company also shared some more details about the threat actor with users.

Microsoft says the Lapsus group has recently expanded its scope to target a large number of enterprise and individual organizations worldwide. The hacking group often carries out attacks through phone-based social engineering, SIM swaps and bribed employees to gain access to multi-factor authentication (MFA) systems and internal systems. Other methods include analyzing public code stores to detect fake credentials and purchasing credentials from criminal forums.

The Lapsus hacking group uses AD Explorer to sort a list of users of the target organization after successfully obtaining initial access. It then navigates collaboration platforms like Slack, SharePoint, Teams, GitLab, Jira, and Confluence to explore and find sensitive information. The group also exploits platform-level vulnerabilities to run privilege upgrade routines. Microsoft says that in some cases Lapsus can even call the company’s help desk to reset a privileged user’s password.

“Our investigation found that the security of a single account with limited access was compromised. Our cybersecurity response teams quickly stepped in to fix the compromised account and prevent further activity. Microsoft does not rely on the confidentiality of the code as a security measure, and displaying the source code does not lead to an increased risk. The DEV-0537 (LAPSUS$) tactics used in this attack reflect the tactics and techniques discussed in this blog. When the group publicly disclosed their intrusions, our team was already investigating compromised accounts based on threat intelligence. This public statement accelerated our action and limited the wider impact by allowing our team to intervene and intervene in the middle of the operation,” he said.