Microsoft investigating alleged Lapsus$ hack of Azure DevOps source code repositories
Hackers said they gained access to an Azure DevOps repository that contained the source code for Cortana as well as other Bing projects
Microsoft says it is looking into claims that the Lapsus$ data extortion hacking group gained access to its internal Azure DevOps source code repositories and stole data.
The company told BleepingComputer that it was aware of the claims made by the group and was in the process of investigating those claims.
Over the last months, Lapsus$ has compromised a number of major companies including Samsung, Nvidia, Vodafone, Mercado Libre and Ubisoft. Earlier this month, the gang published a massive collection of files, about 190 GB in total, which it said belonged to Samsung Electronics.
The leak allegedly included bootloader source code for recent Samsung devices, algorithms for all biometric unlock operations, source code for Samsung's activation servers, the full source code used to authenticate Samsung accounts, and secret Qualcomm source code.
While other extortion gangs use ransomware to lock their victims' machines, Lapsus$ uses a different strategy. It goes after the source code repositories of big companies, steals their proprietary data, and then demands millions of dollars in ransom to give that data back to the victims.
On Sunday, the Lapsus$ gang shared on its Telegram channel a screenshot of what appeared to be data acquired from an official developer account for Azure, Microsoft's cloud computing business.
The operatives claimed to have gained access to an Azure repository that contained the source code for Cortana as well as other Bing projects.
Lapsus$ said it accessed the repositories by hacking an Azure DevOps server.
An administrator of the Telegram channel later deleted the screenshots and posted the message: "Deleted for now will repost later".
However, the group left the initials of logged-in user, "IS," in the screenshot, potentially enabling Microsoft to identify the hacked account.
Microsoft has previously said that a source code leak does not increase the security risk associated with its products.
The company's security strategy already makes the assumption that bad actors have complete access to the source code of its products, whether as a result of prior breaches or via present risks of leaking.
However, access to source code does make it simpler for malicious cyber actors to look for exploitable flaws in Microsoft's products.
Lapsus$ is said to be on a recruitment drive to get employees to provide sensitive information. On March 10, the gang said that it is starting to recruit insiders from big tech firms and ISPs.
The message was followed with a list of firms that Lapsus$ said it would like to breach, including IBM, Apple and Microsoft.
The gang is specifically trying to acquire remote VPN access and is requesting prospective insiders to contact them discreetly over Telegram, after which they will be paid for the access granted.
It's unclear if Lapsus$ actually successfully infiltrated Microsoft's networks or whether the gang is just trolling the company. Lapsus$ has a history of behaving erratically when communicating with firms it has hacked.
After an attempted extortion attempt with Nvidia, the extortion gang demanded that the company remove a feature known as LHR (Lite Hash rate) from its graphics cards to make them more capable of completing the intensive calculations necessary for cryptocurrency mining.
A few days later, the group attempted to blackmail Nvidia into opening up its GPU drivers, and threatened to release confidential data if the company did not comply.
After Nvidia declined to negotiate, Lapsus$ started leaking the information on the internet. Among the files compromised were two old code-signing certificates that some threat groups used to sign malware.