Hello everyone, I'm the principal.
I saw a message yesterday: according to a post on Reddit and a report on Cyber Kendra, Microsoft's DevOps account has been compromised by the LAPSUS$ (Lapsus) organization.
What kind of hacking organization is Lapsus$? It is a data ransomware hacking organization that does not install ransomware on the victim's device. But they steal source code, customer lists, databases, and other valuable data by breaking down company systems. Then, try to blackmail the victim with a ransom, demanding that the data be not disclosed.
Over the past few months, Lapsus$ has been on the move, and they have disclosed a number of cyberattacks against large companies, including those of Nvidia, Samsung, Vodafone, well-known game maker Ubisoft and online commerce platform Mercado Libre.
Not long ago, the hacking group Lapsus$ also posted screenshots on its Telegram channel claiming to be Okta's internal system, one of which appeared to show Okta's Slack channel. Okta is a company that provides two-factor authentication to thousands of companies and organizations, including JetBlue, Nordstrom, Siemens, Slack, and Teach for America. If the attack is successful, it will have a significant impact on companies, universities, and government agencies that rely on Okta to verify user access to internal systems.
Last weekend, Lapsus$ posted a screenshot on Telegram: the file names of "Azure DevOps", "Bing", "Cortana", etc. in the upper left corner all show that it successfully hacked into Microsoft's Azure DevOps server and mastered the source code of Bing, Cortana and various internal projects.
On Monday night, the hacking group released a torrent file of a 9gb 7zip package containing the source code for more than 250 projects they claim belonged to Microsoft. According to relevant sources, this uncompressed archive file is about 37GB.
Lapsus$ says it contains 90 percent of Bing's source code and about 45 percent of its Bing Maps and Cortana code.
According to security researchers, Lapsus$'s publicly available compressed package, while only 9GB, should contain about 37GB of source code before it is compressed, and some of the emails and documents prove to be true: "These emails and documents are obviously used by Microsoft engineers to publish mobile applications." ”
Through further research, the researchers also found that the source code leaked by Lapsus$ was mainly concentrated in Microsoft's web-based infrastructure, websites, or mobile applications, and did not disclose its desktop software sources such as Windows or Office.
In response, Microsoft released an official blog post on Tuesday: It is true that an account has been compromised, but the source code leak is not a big problem.
Here's why: We at Microsoft don't keep code confidential as a security measure, so viewing the source code doesn't increase risk.
Microsoft speculated in the official blog post about four possible intrusions for Lapsus$:
Malicious deployment of Redline password stealers to obtain passwords and session tokens;
Purchase of identity credentials and session tokens on criminal underground forums;
Purchase of identity documents and multi-factor authentication (MFA) from employees of the target organization (or supplier/business partner);
Search for exposed credentials in the public code repository.
Of these four approaches, many security researchers agree that Lapsus$ is most likely to "buy out target employees for access" — because they had previously announced that they wanted to buy access to internal systems from employees.
To be honest, source code leaks, especially for front-end mobile applications, are really not too risky, after all, the front-end is a shell, the key is still data, or core algorithms, etc.
In fact, after the source code is exposed, it is taken by other companies to shell, which does not have any impact on Microsoft, after all, where is the ecosystem, and want to engage in Microsoft's ecosystem according to the application of a shell is to hit the stone with a pebble.
However, in fact, the biggest problem is not how dangerous the leaked code is, the biggest danger is that it should be found out how the source code was leaked. After all, this time the front-end code was stolen by hackers, and the next time if the user data is taken away, it will be a big problem.
Through lapsus$'s behavior, we found that the safety of international manufacturers is also problematic, not foolproof.