DecryptedTech

Friday20 May 2022

Lapsus$ Claims They have Some Microsoft Azure Source Code, Microsoft is Investigating the Claim


Reading time is around minutes.

The Lapsus$ group has been in the news recently for theft of source code form some high-profile targets. These targets have included companies like NVIDIA, Samsung, Vodafone, and Ubisoft. The NVIDIA event was noteworthy as it included a claim that NVIDIA hacked the attackers back in order to encrypt the data that have been taken out of their environment.

In the case of Microsoft there is no confirmation of the source code theft yet. Microsoft says they are still investigating the claims. Lapsus$, however has posted a screenshot of what they claim are internal repos for some of the Code they have access to. The posted this in their telegram channel but have removed it as of this writing. This did not stop people from grabbing images and sharing it.

According to one such screenshot shared on Twitter, the original Lapsus$ post appears to be of an Azure DevOps team and shows projects related to Bing and Cortana. The screenshot does not contain a URL (which could be used to confirm the page), but it does appear to show the initials of the user account that is/was being used to access the alleged information.

If this is a real breach and leak, this could help Microsoft in tracking down and removing access by the exposed account. It might also give them a track to identify other accounts that might be compromised inside their organization, again if the leak is real. We won’t know anything until Microsoft completes their investigation and releases any details surrounding it. Until then, we can only speculate about things.

On the bright side, Microsoft has always operated and developed with an acknowledgement that attackers are already very familiar with their software, operating systems and tools. This means that the leak of source code is not as big of an impact to them as it might be to another organization that keeps their code base more secret (like NVIDIA, Samsung and Ubisoft). In fact, their massive test, beta and inside groups almost ensures that attackers are already aware of what Microsoft has I in the pipe for their products.

So, the effects of a potential source code link aside, the big deal here is to identify how this group has gained access as quickly as they did. Is this a lingering effect from SolarWinds, a Log4J issue, or is there a link between all these companies and with the first compromise there was a domino effect that have allowed Lapsus$ to topple the others very rapidly. This is a question we may never get answered as the entities that have been compromised are not likely to publicly release this information. Still we do have to wonder how these groups have been hit and what mitigations steps other groups should be taking to avoid being owned themselves…

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.