Microsoft is investigating claims that internal source code repositories have been accessed and data has been stolen. The alleged hack is linked to the hacking group Lapsus$, which attacked companies such as Nvidia, Samsung and Vodafone in the past successfully, reports ghacks.
This week, the actor made public claims that they had gained access to Microsoft and exfiltrated portions of source code. No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access.
Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity. Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk. The tactics DEV-0537 used in this intrusion reflect the tactics and techniques discussed in this blog.
Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.
About the ransomware
Unlike most extortion groups, which try to install ransomware on systems that they attack successful, Lapsus$ tries to get a ransom for downloaded data from the companies that it attacked.
The main services that Lapsus$ may have downloaded the source code from appear to be Bing, Bing Maps and Cortana. It is unclear at this point whether the full source codes have been downloaded by the attackers, and whether other Microsoft applications or services are included in the dump.
Source codes may contain valuable information. The code may be analyzed for security vulnerabilities that hacking groups may exploit. There is also the chance that source codes include valuable items such as code signing certificates, access tokens or API keys. Microsoft has a development policy in place that prohibits the inclusion of such items, Microsoft calls them secrets, in its source codes
The search terms used by the actor indicate the expected focus on attempting to find secrets. Our development policy prohibits secrets in code and we run automated tools to verify compliance.
Lots of uncertainty is surrounding the hack at this moment. Did Lapsus$ manage to breach Microsoft’s defenses? Did the group manage to download data, and if it did, what data was downloaded and how complete is it? Bing, Bing Maps and Cortana are not the most important Microsoft services.
Judging by Lapsus$’s track record, it is likely that the reported hack did indeed happen. The question of whether the downloaded data is valuable enough to get a ransom from Microsoft for not publishing it on the Internet is open for debate.
Did you subscribe to our daily Newsletter?
It’s Free! Click here to Subscribe