The hacking group DEV-0537, also known as LAPSUS$, operates on a global scale using a pure extortion and destruction model without deploying ransomware payloads. Unlike other social engineering attackers, DEV-0537 publicly announces its attacks on social media and pays employees for login credentials and multifactor authentication (MFA) approval. In the past, they have also used SIM-swapping to facilitate account takeovers, targeted personal employee email accounts, and intruded on crisis-communication calls once their targets have been hacked.
With some education on DEV-0537’s known tactics and strong cyber hygiene, businesses can guard themselves against future social engineering attacks.
Strengthen MFA Implementation
MFA is one of the primary lines of defense against DEV-0537. Require MFA for all users across all locations — regardless of whether they’re working remotely, from a trusted environment, or even from an on-premises system.
DEV-0537 often attempts to access networks via compromised credentials, so user and sign-in risk-based policies can protect against threats like new device enrollment and MFA registration. “Break glass” accounts and enterprise or workplace credentials should be stored offline rather than in a password vault or an online browser. Businesses can also leverage password protection to guard against easily guessed passwords.
Passwordless authentication methods can further reduce risks. Finally, you can use automated reports and workbooks to gain insight into risk distribution, risk detection trends, and opportunities for risk remediation.
Avoid telephone-based MFA methods to mitigate the risk of SIM-jacking, where the attackers trick the mobile carrier into transferring the phone number to a different SIM card. Other MFA factors such as voice approvals, simple push (instead, use number matching), and secondary email addresses are also weak and can be bypassed. Prevent users from sharing their credentials, and block location-based MFA exclusions — which allow bad actors to bypass the MFA requirements if they can fully compromise a single identity.
Require Healthy and Trusted Endpoints
Another way to guard against data theft is by requiring trusted, compliant, and healthy devices for access to resources. Cloud-delivered protection can further protect against rapidly evolving attacker tools and techniques, block new and unknown malware variants, and enhance attack surface reduction rules and tamper protection.
Leverage Modern Authentication Options for VPNs
Implementing modern authentication and tight conditional VPN access policies like OAuth or SAML has previously been effective against DEV-0537. These strategies block authentication attempts based on sign-in risk — requiring compliant devices in order for users to sign in and tighter integration with your authentication stack to improve risk detection accuracy.
Strengthen and Monitor Your Cloud Security Posture
Because DEV-0537 uses legitimate credentials to attack networks and leak sensitive enterprise data, at first glance, the group’s activity might appear consistent with typical user behavior. However, you can strengthen your cloud security posture by reviewing Conditional Access user and session risk configurations, configuring alerts to prompt a review on high-risk modification, and reviewing risk detections.
Improve Awareness of Social Engineering Attacks
Strong employee education is another way to protect your organization against social engineering attacks like DEV-0537. Your technical team should know what to watch out for and how to report unusual employee activity. Likewise, IT help desks should quickly track and report any suspicious users. Review your help desk policies for password resets for highly privileged users and executives to take social engineering into consideration.
Establish Operational Security Processes in Response
One hallmark tactic of DEV-0537 is to monitor and eavesdrop on incident response communications in the event of a cybersecurity breach. Companies should monitor these communication channels closely, and attendees should be routinely verified.
In the event that your organization is hacked by DEV-0537, follow tight operational security practices. Develop an out-of-band communication plan for incident responders that can be used for multiple days while an investigation occurs, and ensure response plan documentation is closely guarded and not easily accessible.
Microsoft will continue monitoring DEV-0537’s activities, and we will share additional insights and recommendations as the situation evolves.
Read more Partner Perspectives from Microsoft.
