Microsoft confirms hacking group stole source code via 'limited access'
Microsoft doesn't appear too concernedBy Shawn Knight
In brief: Microsoft has confirmed claims made earlier this week by hacking group Lapsus$ that it was the victim of a cybersecurity incident. Redmond seemingly dismissed the matter as no big deal, noting it was already looking into the issue before the group went public and downplaying the importance of secure source code.
A blog post addressing the matter notes that Microsoft's investigation uncovered a single account had been compromised, which granted the attacker "limited access." According to Microsoft, their team was already investigating the compromised account when Lapsus$ publicly disclosed the intrusion.
If you recall, the group released a dump earlier this week containing around 37GB worth of Microsoft data. The haul reportedly included portions of source code for Bing, Bing Maps and Cortana.
Microsoft Security has been tracking criminal actor DEV-0537 (LAPSUS$) targeting organizations with data exfiltration and destructive attacks - including Microsoft. Analysis and guidance in our latest blog: https://t.co/gTMXJCoPY5--- Microsoft Security (@msftsecurity) March 22, 2022
Microsoft said it "does not rely on the secrecy of code as a security measure," adding that viewing source code does not lead to an elevation of risk.
Microsoft also touched on some of the group's preferred tactics, many of which aren't all that common among threat actors. Examples include phone-based social engineering, SIM-swapping, accessing personal e-mail accounts and even paying employees, suppliers or business partners of target organizations for access to credentials or multi-factor authentication (MFA) approval.
Redmond additionally provided tips that organizations and individuals can use to protect themselves, including using MFA, avoiding phone-based MFA methods and leveraging passwordless authentication like Windows Hello, Microsoft Authenticator or FIDO tokens.
Lapsus$ has been extremely busy this year, having already hit big tech targets including Nvidia, Samsung and Vodafone. Authentication firm Okta has also fallen victim, with the company updating its statement to confirm that around 2.5 percent of its clients have potentially been impacted and whose data may have been viewed or "acted upon."
Image credit Aktar Hossain