Microsoft and Okta are investigating the issue while LAPSUS$ hackers have leaked GBs worth of data apparently including the source code of Cortana and Bing.
LAPSUS$ hackers are claiming to have breached Microsoft and steal a trove of data. The group is also claiming to have access to several DevOps accounts belonging to Microsoft Azure, which, if confirmed, could be this year’s biggest cybersecurity incident.
Who are LAPSUS$ hackers
Reportedly, LAPSUS$ is a Brazilian hacking group that was behind Samsung, Ubisoft, and Nvidia data breaches in the last couple of weeks. Over the weekend, the hackers posted a screenshot on its Telegram channel revealing that they had accessed internal Microsoft systems.
One of the screenshots appeared to be from an Azure DevOps account, a product that Microsoft offers that allows developers to collaborate on projects. However, minutes later, the post was deleted, and the gang posted another message that read: “Deleted for now will repost later.”
Projects Listed in the Deleted Screenshot:
The projects listed in the screenshot posted by the LAPSUS$ group include the following:
- Bing Cubator
- Creative Authoring
- Bing_UX: Bing.com frontend (SNR) + other relevant UX codebase
- Cortana: Main Cortana project, including related code, and work items.
- Bing Source Code: Main project that stores the entire Bing Source Code.
- Compliance_Engineering: A WebXT Compliance Engineering team project.
- Bing_Test_Agile: A test project for Bing performed through the Agile template.
- Bing_STC-SV: Containing the source code for several Bing engineering projects in the Silicon Valley office
The most crucial projects are the Cortana and Bing Source code, which contain source code for the entire product. Microsoft’s spokesperson stated that they are aware of the claim and investigating it.
The Breach seem Authentic
Although the technology giant is investigating the issue, several cybersecurity researchers fear that the data leaked by LAPSUS$ hackers seem authentic. A France-based infosec researcher Soufiane Tahiri who goes by the Twitter handle of @S0ufi4n3 stated that according to his analysis, “the Microsoft leak is 100% genius and it contains a lot of data, including some emails and some strong name signing public /private keys, some code signing certificates …and well A LOT OF CODE.”
Tahiri went on to confirm that he was able to sign an assembly using one of Microsoft’s certificates from the Lapsus leak.
In a separate incident, LAPSUS$ hackers are also claiming to have breached the authentication services provider Okta, Inc. On its Telegram group, as seen by Hackread.com, LAPSUS$ hackers have shared screenshots of the company’s internal infrastructure including the company’s Atlassian suite and in-house Slack channels.
The group went on to explain that the screenshots were taken after its access to Okta.com’s superusers/admin and various other systems.” Furthermore, the hackers stated that they did not access or steal Okta’s database since their “focus was Okta customers.”
For a service that powers authentication systems to many of the largest corporations (and FEDRAMP approved), I think these security measures are pretty poor.
At the time of publishing this article, Okta, Inc. was investigating the incident. However, the company’s CEO Todd McKinnon addressed the issue and confirmed on Twitter earlier today that there was an attempt to compromise the account of a third-party customer support engineer working for one of our subprocessors in late January 2022.
McKinnon believes that the screenshots posted by the LAPSUS$ hackers are connected to the January event. On the other hand, Bill Demirkapi, a cyber security researcher who goes by the Twitter handle of @BillDemirkapi noted that after analyzing one of the screenshots shared by the group “it appears that they have gotten access to the Cloudflare tenant with the ability to reset employee passwords.”
Demirkapi further stated that it is possible that LAPSUS$ might have gotten all this access by abusing Okta’s own remote control tooling they use to spy on their employees. It would explain things like why the Chrome browser is signed into a user, as shown in one of the screenshots.
In a conversation with Hackread.com, Lotem Finkelsteen, a security researcher and Head of Threat Intelligence and Research at Check Point said that “If true, the breach at Okta may explain how Lapsus$ has been able to achieve its recent string successes. Thousands of companies use Okta to secure and manage their identities. Through private keys retrieved within Okta, the cyber gang may have access to corporate networks and applications.”
“Hence, a breach at Okta could lead to potentially disastrous consequences. If you are an Okta customer, we strongly urge you to exercise extreme vigilance and cyber safety practices. The full extent of the cyber gang’s resources should reveal itself in the coming days,” Finkelsteen warned.
More Microsoft Topics
- Microsoft reveals hackers viewed its source code
- Hackers are using Microsoft Teams chat to spread malware
- Google, Microsoft and Oracle generated most vulnerabilities in 2021
- 38 million records exposed in Microsoft Power apps misconfiguration
- Attackers bypass Microsoft security patch to drop Formbook malware