Skip to main content

Microsoft confirms Lapsus$ hackers stole source code via ‘limited’ access

Microsoft confirms Lapsus$ hackers stole source code via ‘limited’ access

/

Lapsus$ says it has accessed data from Okta, Nvidia, Samsung, and Ubisoft

Share this story

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

Malware makers have already exploited other certificates released by Lapsus$.
Malware makers have already exploited other certificates released by Lapsus$.
Image by Alex Castro / The Verge

The hacking group Lapsus$, known for claiming to have hacked Nvidia, Samsung, and more, this week claimed it has even hacked Microsoft. The group posted a file that it claimed contains partial source code for Bing and Cortana in an archive holding nearly 37GB of data.

On Tuesday evening, after investigating, Microsoft confirmed the group that it calls DEV-0537 compromised “a single account” and stole parts of source code for some of its products. A blog post on its security site says Microsoft investigators have been tracking the Lapsus$ group for weeks, and details some of the methods they’ve used to compromise victims’ systems. According to the Microsoft Threat Intelligence Center (MSTIC), “the objective of DEV-0537 actors is to gain elevated access through stolen credentials that enable data theft and destructive attacks against a targeted organization, often resulting in extortion. Tactics and objectives indicate this is a cybercriminal actor motivated by theft and destruction.”

“Microsoft does not rely on the secrecy of code as a security measure”

Microsoft maintains that the leaked code is not severe enough to cause an elevation of risk, and that its response teams shut down the hackers mid-operation.

Lapsus$ has been on a tear recently if its claims are to be believed. The group says it’s had access to data from Okta, Samsung, and Ubisoft, as well as Nvidia and now Microsoft. While companies like Samsung and Nvidia have admitted their data was stolen, Okta pushed back against the group’s claims that it has access to its authentication service, claiming that “The Okta service has not been breached and remains fully operational.”

Microsoft:

This week, the actor made public claims that they had gained access to Microsoft and exfiltrated portions of source code. No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity.

Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk. The tactics DEV-0537 used in this intrusion reflect the tactics and techniques discussed in this blog. Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.

This isn’t the first time Microsoft’s claimed it assumes attackers will access its source code — it said the same thing after the Solarwinds attack. Lapsus$ also claims that it only got around 45 percent of the code for Bing and Cortana, and around 90 percent of the code for Bing Maps. The latter feels like a less valuable target than the other two, even if Microsoft was worried about its source code revealing vulnerabilities.

In its blog post, Microsoft outlines a number of steps other organizations can take to improve their security, including requiring multifactor authentication, not using “weak” multifactor authentication methods like text messages or secondary email, educating team members about the potential for social engineering attacks, and creating processes for potential responses to Lapsus$ attacks. Microsoft also says that it’ll keep tracking Lapsus$, keeping an eye on any attacks it carries out on Microsoft customers.

Today’s Storystream

Feed refreshed 11 minutes ago Midjourneys

R
External Link
Russell Brandom11 minutes ago
Oracle will pay $23 million to settle foreign bribery charges.

The SEC alleges that Oracle used a slush fund to bribe officials in India, Turkey and the United Arab Emirates. This behavior is sadly common among software companies doing business overseas, and it’s not unique to Oracle. In March, a former Microsoft executive claimed the company spent as much as $200 million a year in bribes for foreign officials.


E
External Link
Emma RothTwo hours ago
Celsius’ CEO is out.

Alex Mashinsky, the head of the bankrupt crypto lending firm Celsius, announced his resignation today, but not after patting himself on the back for working “tirelessly to help the company.”

In Mashinsky’s eyes, I guess that means designing “Unbankrupt yourself” t-shirts on Cafepress and then selling them to a user base that just had their funds vaporized.

At least customers of the embattled Voyager Digital crypto firm are in slightly better shape, as the Sam Bankman-Fried-owned FTX just bought out the company’s assets.


M
Twitter
Mary Beth Griggs2:46 PM UTC
NASA’s SLS rocket is secure as Hurricane Ian barrels towards Florida.

The rocket — and the Orion spacecraft on top — are now back inside the massive Vehicle Assembly Building. Facing menacing forecasts, NASA decided to roll it away from the launchpad yesterday.


A
External Link
Andrew J. Hawkins1:30 PM UTC
Harley-Davidson’s electric motorcycle brand is about to go public via SPAC

LiveWire has completed its merger with a blank-check company and will make its debut on the New York Stock Exchange today. Harley-Davison CEO Jochen Zeitz called it “a proud and exciting milestone for LiveWire towards its ambition to become the most desirable electric motorcycle brand in the world.” Hopefully it also manages to avoid the cash crunch of other EV SPACs, like Canoo, Arrival, Faraday Future, and Lordstown.


A
The Verge
Andrew Webster1:06 PM UTC
“There’s an endless array of drama going on surrounding Twitch right now.”

That’s Ryan Morrison, CEO of Evolved Talent Agency, which represents some of the biggest streamers around. And he’s right — as you can read in this investigation from my colleague Ash Parrish, who looked into just what’s going on with Amazon’s livestreaming service.


R
The Verge
Richard Lawler12:59 PM UTC
Green light.

NASA’s spacecraft crashed, and everyone is very happy about it.

Otherwise, Mitchell Clark is kicking off the day with a deeper look at Dish Network’s definitely-real 5G wireless service , and Walmart’s metaverse vision in Roblox is not looking good at all.


J
External Link
Jess Weatherbed11:49 AM UTC
Won’t anyone think of the billionaires?

Forbes reports that rising inflation and falling stock prices have collectively cost members of the Forbes 400 US rich list $500 billion in 2022 with tech tycoons suffering the biggest losses.

Jeff Bezos (worth $151 billion) lost $50 billion, Google’s Larry Page and Sergey Brin (worth a collective $182b) lost almost $60b, Mark Zuckerberg (worth $57.7b) lost $76.8b, and Twitter co-founder Jack Dorsey (worth $4.5b) lost $10.4b. Former Microsoft CEO Steve Ballmer (worth $83b) lost $13.5b while his ex-boss Bill Gates (worth $106b) lost $28b, albeit $20b of that via charity donations.


T
Thomas Ricker6:45 AM UTC
Check out this delightful DART Easter egg.

Just Google for “NASA DART.” You’re welcome.