Hacking group behind Nvidia and Samsung attacks now appears to have leaked Microsoft source...

midian182

Posts: 8,023   +88
Staff member
What just happened? The hackers behind recent attacks on Nvidia, Samsung, and Vodafone appear to have successfully compromised another company: Microsoft. The Windows-maker is investigating claims by Lapsus$ that the group gained access to internal Azure DevOps servers and leaked source code for Bing, Cortana, and other projects.

On Sunday, Lapsus$ posted what seemed to be a screenshot of an internal Microsoft developer account to its Telegram channel. Motherboard reports that the Azure DevOps account in question allows developers to collaborate on Microsoft projects, including Bing and Cortana. An administrator for the channel removed the images soon after they were posted, writing, "Deleted for now will repost later."

Bleeping Computer writes that the hackers weren't finished. On Monday, Lapsus$ posted a torrent for a 9GB 7zip archive that contained source code for over 250 Microsoft projects. The group claims it featured 90% of the source code for Bing and approximately 45% of the code for Bing Maps and Cortana. The publication writes that even though this was only part of the code, there was around 37GB of uncompressed data in the archive, which security researchers say appears to be legitimate.

There were also internal emails and documentation related to mobile apps in the leaked data. But it is noted that the projects are for web-based infrastructure, websites, or mobile apps, with no source code for desktop software such as Windows or Office.

Courtesy of Bleeping Computer

Microsoft is the latest company to fall victim to Lapsus$. The group made headlines after leaking 1TB of stolen data from Nvidia that exposed over 70,000 employee account login credentials. It also claims to have used the stolen info to create a tool that can bypass Nvidia's Lite Hash Rate limiter without flashing or updating the firmware on a graphics card, which it offered to potential buyers for $1 million.

The hackers also claimed an attack that leaked 190GB of confidential information from Samsung, including encryption data and source code for the company's most recent devices. Argentinian eCommerce company MercadoLibre/MercadoPago, Portuguese media conglomerate Impresa, and telecoms giant Vodafone are also alleged to have been breached.

Exactly how Lapsus$ is successfully bypassing these companies' security is unknown, though some believe it could be buying off employees—the group has already made it clear they are willing to pay for access to internal systems.

Permalink to story.

 

Dimitriid

Posts: 2,216   +4,268
It's nice that Microsoft actually does believe their own Azure marketing people about how secure they are and were silly enough to put important source code in the cloud: I would love to be a fly in the wall for those big meetings where the Azure guys argue with the code guys and tell them "Our Cloud is secure, it's *your* own fault for not reading your certification programs before implementing your cloud environment!"

It also should be a good thing to point out to any company hearing a sales pitch about being secure in the Azure Cloud: It's so complicated not even direct company co-workers of the guys who built the thing to begin with could figure out to be 100% secure how do you think you'll do by just having your engineers complete a certification program and then hope it's actually secure enough?
 

Burty117

Posts: 4,505   +2,723
It's nice that Microsoft actually does believe their own Azure marketing people about how secure they are and were silly enough to put important source code in the cloud: I would love to be a fly in the wall for those big meetings where the Azure guys argue with the code guys and tell them "Our Cloud is secure, it's *your* own fault for not reading your certification programs before implementing your cloud environment!"

It also should be a good thing to point out to any company hearing a sales pitch about being secure in the Azure Cloud: It's so complicated not even direct company co-workers of the guys who built the thing to begin with could figure out to be 100% secure how do you think you'll do by just having your engineers complete a certification program and then hope it's actually secure enough?
So what's your alternative? You reckon setting up your own servers in the office is more secure?

You do a lot of smack talking without giving any ideas of what would be more secure...
 

terzaerian

Posts: 1,372   +1,974
I'm going to reap a rich harvest of lulz if they end up leaking the Xbox source code and crack its security wide open.