Microsoft is investigating claims that internal source code repositories have been accessed and data has been stolen.
The alleged hack is linked to the hacking group Lapsus $, which attacked companies such as Nvidia, Samsung and Vodafone in the past successfully.
Evidence of the hack emerged on Sunday evening when Tom Malka published screenshots on Twitter showing a Telegram conversation and what appears to be an internal folder listing of Microsoft source code repositories.
The screenshot suggests that the hackers downloaded source codes of Cortana and several Bing services. The post has been deleted in the meantime. Microsoft told Bleeping Computer that it is investigating the reports.
Unlike most extortion groups, which try to install ransomware on systems that they attack successfully, Lapsus $ tries to get a ransom for downloaded data from the companies that it attacked.
The main services that Lapsus $ may have downloaded the source code from appear to be Bing, Bing Maps and Cortana. It is unclear at this point whether the full source codes have been downloaded by the attackers, and whether other Microsoft applications or services are included in the dump.
Source codes may contain valuable information. The code may be analyzed for security vulnerabilities that hacking groups may exploit. There is also the chance that source codes include valuable items such as code signing certificates, access tokens or API keys. Microsoft has a development policy in place that prohibits the inclusion of such items, Microsoft calls them secrets, in its source codes
The search terms used by the actor indicate the expected focus on attempting to find secrets. Our development policy prohibits secrets in code and we run automated tools to verify compliance.
Lots of uncertainty is surrounding the hack at this moment. Did Lapsus $ manage to breach Microsoft’s defenses? Did the group manage to download data, and if it did, what data was downloaded and how complete is it? Bing, Bing Maps and Cortana are not the most important Microsoft services.
Judging by Lapsus $ ‘s track record, it is likely that the reported hack did indeed happen. The question of whether the downloaded data is valuable enough to get a ransom from Microsoft for not publishing it on the Internet is open for debate.
Now You: was Microsoft hacked? What is your take on this? (via Born)