A real threat or a bluff? Over the weekend, cybersecurity experts panicked after a message from the Lapsus$ group was published on Telegram. It claimed nothing less than the hacking of Microsoft’s Azure DevOps server containing alleged internal source code repositories.
A screenshot was embedded in the post along with the source code for Cortana and various projects around Bing, named “Bing_STC_SV”, “Bing_Test_Agile”, and “Bing_UX”. The photo also shows other repositories, but without knowing what they contain. Surprisingly from the group of cybercriminals, it left in the image the initials of the user of the Azure DevOps account: IS. This “slip”, controlled or not, should allow Microsoft to identify and secure the compromised account. Another explanation is that the group doesn’t have access to the repositories anymore or they don’t care about the publisher.
Post deleted and Microsoft investigating
One thing is certain, Lapsus$ removed his message replacing it with another note, “deleted for the moment, I will repost it later”. However, several experts had saved the screenshot and shared it on Twitter. The Lapsus$ group became known recently for having taken in its nets the American Nvidia, the South Korean Samsung and the French Ubisoft. Unlike ransomware, Lapsus$ does not encrypt data, but instead focuses on data theft and extortion.
Arrested, Microsoft did not confirm this intrusion into an Azure DevOps account, but indicated that it was aware of this case. An investigation has also been launched. The publisher nevertheless relativizes by emphasizing that the publication of source code does not lead to an increase in risk. An argument used in particular in the Solarwinds case. But as our colleagues at Bleepingcomputer point out, source code repositories very often contain tokens, credentials, key APIs, and even code signing certificates. The latter have, for example, been used in the context of the Nvidia hack.