Over the weekend, a cyber extortion gang called Lapsus$ claimed to have stolen source codes for Bing and Cortana from Microsoft’s Azure DevOps server. The gang posted a screenshot of the compromised account on its Telegram channel along with a torrent link to download the 37GB source code archive. They claim the file contains 90% of the codes for Bing Maps and 45% for Bing – presumable the search engine – and Cortana, Microsoft’s digital voice assistant.
Microsoft did not immediately confirm that Lapsus$ gained access into internal servers as they were in the midst of an investigation. But today, it officially confirmed that Lapsus$ did compromise its systems. Referring to the gang as DEV-0537, Microsoft said they had gained access to a single employee’s account which granted limited access. What Microsoft defines as limited access wasn’t detailed, but it assures that no customer code or data was stolen during the incident.
According to the software giant, “Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.’
As for the source codes that have been exposed to the public, Microsoft says that “Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.” Essential, what this means is the stolen source codes were not confidential nor proprietary, so it poses no harm to the company’s operations.
Whether there were any demands made was not disclosed by Microsoft, but judging by the insignificance of the source code, I assume that the gang did not make any or Microsoft might have ignored any demands made.
Something else that Microsoft did not disclose is how exactly Lapsus$ compromised the employee’s account. It only provided the public and other corporations a general outline on how to mitigate a cyberattack. You can click here to read the full blog post, but I would like to highlight one method from the article that can be used by everyone.
If possible, you should enable multi-factor authentication or two-factor authentication (2FA). This means that you will be required to provide a second means of confirming your identity on top of your username and password. It’s recommended that you use a number matching authenticator like Microsoft Authenticator or Google Authenticator. Please, avoid using weak authentication means like SMS and email as these can be easily intercepted by SIM-jacking and compromised email accounts respectively.
Microsoft said it will continue to track the activities, tactics, malware, and tools of Lapsus$ via its Microsoft Threat Intelligence Center (MSTIC). If there are any updates, it will share additional insights and recommendations.
[ SOURCE , VIA , IMAGE SOURCE ]