Microsoft confirms it was hacked by LAPSUS$

UPDATE 23/3: Following the dumping of files that hacker group LAPSUS$ allegedly collected by hacking Microsoft, Microsoft has now confirmed that it was compromised through a single account. As part of a security blog post(Opens in a new window) published late Tuesday, Microsoft included a section titled “Actor actions targeting Microsoft” that explains what happened:

“This week, the actor made public claims that they had gained access to Microsoft and exfiltrated portions of its source code. No customer code or data was involved in the observed activities. Our investigation has determined that a single account had been compromised, providing limited access Our cybersecurity response teams moved quickly to remediate the compromised account and prevent further activity.

“Microsoft does not rely on code secrecy as a security measure, and exposing source code does not increase risk. The tactics DEV-0537 used in this intrusion mirror the tactics and techniques discussed in this blog. Our team was already to investigate the compromised account based on threat intelligence when the actor made their intrusion public. This public disclosure escalated our action, allowing our team to intervene and suspend the actor mid-operation, limiting wider impact.”

While any successful hack is bad news for an organization, in this case it appears to be limited and have no impact on Microsoft’s customers.

The recommendations from Microsoft to prevent similar LAPSUS$ hacks include using multi-factor authentication for all users in all locations, encouraging strong passwords, using passwordless authentication if available, and adding a VPN as an additional layer of authentication.

Original story 22/3:
The cybercriminal group that claims to have breached Microsoft has begun dumping files allegedly obtained from the hack.

On Monday, the LAPSUS$ gang began circulating a 10GB compressed archive that purportedly contains internal data on Microsoft’s Bing search engine and Bing Maps, along with the source code for the company’s Cortana voice assistant software.

“Bing Map is 90% complete dump. Bing and Cortana around 45%,” LAPSUS$ said in a post in the group’s public chat room.

According(Opens in a new window) to BleepingComputer, the archive expands to 37 GB when uncompressed, and contains the source code of over 250 projects that appear to belong to Microsoft. If genuine, the file dump risks exposing sensitive information about the company, including employee data and software certificates, which cybercriminals can further exploit.

chirping(Opens in a new window)

Microsoft did not immediately respond to a request for comment. So far, the company has only said it is investigating the alleged hack. However, the LAPSUS$ gang says the group has already lost access to Microsoft’s systems.

“Access died when I was sleeping,” one member wrote in the group’s public chat. “It would be a complete dump. But we were all tired.”

chirping(Opens in a new window)

The file dump also occurs as LAPSUS$ may have revealed how it hacked Microsoft. On Monday, the group claimed it had breached Okta, a company that manages authentication systems for 15,000 brands.

“Thousands of companies use Okta to secure and manage their identities,” said IT security firm Checkpoint. “Through private keys obtained in Okta, the cyber gang can have access to corporate networks and applications. Therefore, a breach of Okta can lead to potentially catastrophic consequences.”

In its public chat, LAPSUS$ said it did not steal any databases from Okta, but targeted the company’s enterprise customers. So far, Okta has only said it discovered “an attempt to compromise the account of a third-party customer support engineer” working at a company’s “subprocessor” two months ago. But the incident was later curtailed.

“Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January,” Okta’s security chief said(Opens in a new window).