Microsoft Investigating Alleged Lapsus$ Intrusion of AzureDevOps Repositories

Stock image of a digital skull in code
(Image credit: Shutterstock)

Update 3/22 07:43 ET:

Lapsus$ has made public at least part of the information exfiltrated from Microsoft's AzureDevOps repository. The group shared a 9 GB compressed zip file via torrent, which unpacks into 37 GB of uncompressed data. According to the hacker group, this data includes 90% of of the source code for Bing and approximately 45% of the code for Bing Maps and Cortana, alongside emails and project documentation. After poring over the leaked files, security researchers told Bleeping Computer that the data appeared to be legitimate. Considering the group has just made the data unsellable, it's likely negotiations with Microsoft were a no-go, and Lapsus$ may have elected to focus on the black hat scene.

Original Article:

Microsoft says it's in the process of investigating a possible breach of its AzureDevOps source code repositories. The information, courtesy of Bleeping Computer, comes hot in the heels of a Telegram post (later shared on Twitter) by infamous hacking group Lapsus$ -- a single screenshot where repositories for Microsoft's digital assistant Cortana and various Bing projects can be seen. The group has made multiple headlines for itself in the last few months after high-profile hacks of Nvidia, Samsung, Vodafone and Ubisoft, among others.

Microsoft has already pointed out that a source code leak doesn't elevate its products' security risk. The company's security model already assumes that malicious actors have full access to the products' source code, whether via previous leaks or current threats of leakage.

Screenshot of Lapsus$ reported hack

The screenshot originally uploaded by lapsus$ on Telegram was quickly saved and reposted by security researchers on Twitter. The initials of the logged-in account are visible in the top right corner. (Image credit: Tom Malka via Twitter)

However, access to source code does make it easier for malicious actors to inspect Microsoft's products for exploitable vulnerabilities. There's also the matter that repositories such as this also usually contain access tokens, credentials, API keys, and even code-signing certificates. The risk is increased since this data can be weaponized by anyone who has access to it, not just by hacking group Lapsus$ itself. In fact, Nvidia's driver signing certificates have already been used by malicious actors in an attempt to disguise malware infiltrations. These certificates tell cybersecurity solutions that the executable package has been developed by a trusted third-party and that it hasn't been tampered with, throwing a proverbial wrench at many malware detection algorithms.

Interestingly, Lapsus$ apparently deleted the screenshot from its Telegram channel shortly after sharing it. The screenshot itself still showed details on the account (allegedly) used to navigate the Azure DevOps repository - the initials "IS" were in plain view of anyone, including Microsoft's own security teams. Perhaps that's the Occam's Razor explanation for the image's deletion: nothing but a "slight" misstep from Lapsus$.

Another element to consider is that Lapsus$ has shown somewhat erratic behavior when it comes to interacting with companies it has breached. After an attempted extortion attempt with Nvidia, the suspected South America-based group then changed its demands, demanding that Nvidia lift its LHR (Lite Hash Rate) BIOS and driver limitation for cryptocurrency mining before unceremoniously exposing around 71,000 Nvidia employee credentials for good measure.

It's unclear if Lapsus$ actually managed to infiltrate Microsoft's systems or if the group is only taunting Microsoft. In any case, Microsoft itself hasn't announced any contact attempt from the group and has yet to confirm the breach. Stay tuned for updates as this evolves.

Francisco Pires
Freelance News Writer

Francisco Pires is a freelance news writer for Tom's Hardware with a soft side for quantum computing.