The hacking group Lapsus$, known for claiming to have hacked Samsung, Nvidia, and more, claimed it has even hacked Microsoft this week. The group posted a file it claimed contains partial source code for Bing and Cortana in an archive holding nearly 37GB of data.
On Tuesday evening, after investigating, Microsoft confirmed the group that it calls DEV-0537 compromised “a single account” and stole parts of source code for some of its products. A blog post on its security site says Microsoft investigators have been tracking the Lapsus$ group for weeks and details some methods they’ve used to compromise victims’ systems. According to the Microsoft Threat Intelligence Center (MSTIC), “the objective of DEV-0537 actors is to gain elevated access through stolen credentials that enable data theft and destructive attacks against a targeted organization, often resulting in extortion. Tactics and objectives indicate this is a cybercriminal actor motivated by theft and destruction.”
Microsoft maintains that the leaked code is not severe enough to cause an elevation of risk and that its response teams shut down the hackers mid-operation.
If its claims are to be believed, Lapsus$ has been on a tear recently. The group says it’s had access to data from Okta, Samsung, Ubisoft, Nvidia, and now Microsoft. While companies like Samsung and Nvidia have admitted their data was stolen, Okta pushed back against the group’s claims that it has access to its authentication service, claiming that “The Okta service has not been breached and remains fully operational.”
This week, the actor made public claims that they had gained access to Microsoft and exfiltrated portions of source code. No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity.
Microsoft does not rely on code secrecy as a security measure; viewing source code does not lead to risk elevation. The tactics DEV-0537 used in this intrusion reflect the tactics and techniques discussed in this blog. Our team was investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action, allowing our team to intervene and interrupt the actor mid-operation, limiting the broader impact.
Lapsus$ also claims it only got around 45 percent of the code for Bing and Cortana and about 90 percent for Bing Maps. The latter feels like a less valuable target than the other two, even if Microsoft was worried about its source code revealing vulnerabilities.
In its blog post, Microsoft outlines several steps other organizations can take to improve their security, including requiring multifactor authentication, not using “weak” multifactor authentication methods like text messages or secondary email, educating team members about the potential for social engineering attacks, and creating processes for potential responses to Lapsus$ attacks. Microsoft also says it’ll keep tracking Lapsus$, monitoring any attacks it carries out on Microsoft customers.
Source: The verge