UPDATE 3/23: Following the dumping of files that hacking group LAPSUS$ allegedly gathered by hacking Microsoft, Microsoft has now confirmed it was compromised through a single account. As part of a security blog post published late Tuesday, Microsoft included a section titled “Actor actions targeting Microsoft” which explains what happened:
“This week, the actor made public claims that they had gained access to Microsoft and exfiltrated portions of source code. No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity.
“Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk. The tactics DEV-0537 used in this intrusion reflect the tactics and techniques discussed in this blog. Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.”
Although any successful hack is bad news for an organization, in this case it seems to be limited and has no impact on Microsoft’s customers.
The recommendations by Microsoft to help prevent similar LAPSUS$ hacks includes using multifactor authentication for all users at all locations, encouraging strong passwords, using passwordless authentication if available, and adding a VPN as an extra layer of authentication.
Original Story 3/22:
The cybercriminal group that claims to have breached Microsoft has started to dump files allegedly taken from the hack.
On Monday, the LAPSUS$ gang began circulating a 10GB compressed archive that supposedly contains internal data on Microsoft’s Bing search engine and Bing Maps, along with the source code to the company’s voice assistant software Cortana.
“Bing Map is 90% complete dump. Bing and Cortana around 45%,” LAPSUS$ said in a post in the group’s public chatroom.
According to BleepingComputer, the archive expands to 37GB once it’s been uncompressed, and contains the source code to over 250 projects that appear to belong to Microsoft. If real, the file dump risks exposing sensitive information about the company, including data on employees and software certificates, which cybercriminals could further exploit.
Microsoft did not immediately respond to a request for comment. So far, the company has only said it’s investigating the alleged hack. However, the LAPSUS$ gang says the group has already lost access to Microsoft’s systems.
“Access died when I was sleeping,” one of the members wrote in the group’s public chat. “Would’ve been a complete dump. But we were all tired.”
Recommended by Our Editors
The file dump also occurs as LAPSUS$ may have revealed how it hacked Microsoft. On Monday, the group claimed it had breached Okta, a company that manages authentication systems for 15,000 brands.
“Thousands of companies use Okta to secure and manage their identities,” said IT security firm Checkpoint. “Through private keys retrieved within Okta, the cyber gang may have access to corporate networks and applications. Hence, a breach at Okta could lead to potentially disastrous consequences.”
In its public chat, LAPSUS$ said it did not steal any databases from Okta, but did target the company’s corporate customers. So far, Okta has only said it detected “an attempt to compromise the account of a third-party customer support engineer” working at a company “sub-processor” two months ago. But the incident was later contained.
“Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January,” Okta’s chief security officer said.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.