The hacking group DEV-0537, also known as LAPSUS$, operates on a global scale using a pure extortion and destruction model without deploying ransomware payloads. They recently made headlines after they breached multiple organizations, including Microsoft. In the case of Microsoft’s breach, our investigation found a single account had been compromised — granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity. Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to an elevation of risk. Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action, allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact. Using some of the tactics outlined below, our cybersecurity response team was able to quickly address the attack and prevent further activity.
Unlike other social engineering attackers, DEV-0537 publicly announces their attacks on social media and pays employees for login credentials and multifactor authentication (MFA) approval. In the past, they have also used SIM-swapping to facilitate account takeovers, targeted personal email accounts of employees, and intruded on crisis-communication calls once their targets have been hacked.
Fortunately, with some education on DEV-0537’s known tactics and strong cyber hygiene, businesses can guard themselves against future social engineering attacks.
Our top 6 recommendations
- Strengthen MFA implementation
MFA is one of the primary lines of defense against DEV-0537. Strengthen your company’s cyber hygiene by requiring MFA for all users across all locations — regardless of whether they’re working remotely, from a trusted environment, or even from an on-premises system.
DEV-0537 often attempts to access networks via compromised credentials, so user and sign-in risk-based policies can protect against threats like new device enrollment and MFA registration. Break glass accounts and enterprise or workplace credentials should be stored offline rather than in a password vault or online browser. Businesses can also leverage Azure AD Password Protection to guard against easily guessed passwords, and passwordless authentication methods like Windows Hello for Business, Microsoft Authenticator, or FIDO tokens can further reduce risks. Finally, you can use automated reports and workbooks to gain insight into risk distribution, risk detection trends, and opportunities for risk remediation.
Avoid telephone-based MFA methods to mitigate the risk of SIM-jacking, as this is a common tactic used by DEV-0537. Other weak MFA factors include simple voice approvals, simple push (instead, use number matching), and secondary email addresses. Prevent users from sharing their credentials, and block location-based MFA exclusions — which allow bad actors to bypass the MFA requirements if they can fully compromise a single identity.
- Require healthy and trusted endpoints
Another way to guard against data theft is by requiring trusted, compliant, and healthy devices for access to resources. By turning on cloud-delivered protection in Microsoft Defender Antivirus, you can protect against rapidly evolving attacker tools and techniques, block new and unknown malware variants, and enhance attack surface reduction rules and tamper protection.
- Leverage modern authentication options for VPNs
Implementing modern authentication and tight conditional VPN access policies has previously been effective against DEV-0537. Some options that your organization can leverage include OAuth or SAML connected to Azure AD to enable risk-based sign-in detection. These strategies block authentication attempts based on sign-in risk — requiring compliant devices in order for users to sign in and tighter integration with your authentication stack to improve risk detection accuracy.
- Strengthen and monitor your cloud security posture
Because DEV-0537 uses legitimate credentials to attack networks and leak sensitive enterprise data, at first glance, the group’s activity might appear consistent with typical user behavior. However, you can strengthen your cloud security posture by reviewing Conditional Access user and session risk configurations, configuring alerts to prompt a review on high-risk modification, and reviewing risk detections in Azure AD Identity Protection.
- Improve awareness of social engineering attacks
Strong employee education is another way to protect your organization against social engineering attacks like DEV-0537. Your technical team should know what to watch out for and how to report unusual employee activity. Likewise, IT help desks should quickly track and report any suspicious users. Review your help desk policies for password resets for highly privileged users and executives to take social engineering into consideration.
- Establish operational security processes in response
One hallmark tactic of DEV-0537 is to monitor and eavesdrop on incident response communications in the event of a cybersecurity breach. Companies should monitor these communication channels closely, and attendees should be routinely verified.
In the event that your organization is hacked by DEV-0537, follow tight operational security practices. Develop an out-of-band communication plan for incident responders that can be used for multiple days while an investigation occurs, and ensure response plan documentation is closely guarded and not easily accessible.
Microsoft will continue monitoring DEV-0537’s activities, and we will share additional insights and recommendations as the situation evolves.
For more information on how to protect your organization against future cyber attacks, view our in-depth guide to DEV-0537 and check out our security blog.