Wednesday06 July 2022

Lapsus$ Leaks Some of the Source Code they Claim they Stole from Microsoft

Reading time is around minutes.

Yesterday we reported that the source code stealing group, Lapsus$, claimed they have breached and stollen source code from Microsoft. They made the announcement on their Telegram account by posting a screenshot of the projects they claimed to have access to. Now, as with other leaks, they have dropped a compressed file (7zip) via Torrent which appears to contain around 37GB of source code.

Microsoft is still not confirming the breach and has not commented on the validity of the source code as of this writing, but other researchers have reviewed the files and say it appears to be legitimate code. All the code leaked was related to Bing (and Bing Maps) along with Cortana. The dump also contains project related internal emails and other documentation associated with the projects.
So far none of the leaked code is related to any Microsoft operating systems or Office, it is all web-based infrastructure, sites and mobile apps. As previously mentioned, Microsoft does not feel that a leak of source code elevates risk at all. They have stated again and again that they always develop tools and features with the assumption that attackers are very familiar with the code/application in question so the exposure of the information should not give attackers too much of an advantage. This approach could be why Microsoft seems to be keeping quiet about their investigation.

With the rise to notoriety of Lapsus$ and the speed of which they have compromised different groups the big speculation has moved from “do they have source code from company “x”” to how did they get in. There are many theories around this including possible insider compromise as Lapsus$ has posted notices saying they will pay for access. Another thought it that a previous connected target has allowed them to branch out into other areas. Lapsus$ has previously posted screen shots of what they claim to be internal Okta websites and controls. Considering their pattern, these screen shots could be very real, and they might be leveraging this to pivot to other companies. There also could be a different link between the affected companies that is allowing them to move as they have been.

No matter how they are moving they are enjoying the popularity and even seem to be responding to the press about themselves. They have amassed 33,000 subscribers to their Telegram channel. While we are sure that a decent percentage of the subscribers are law enforcement and security researchers, there are also genuine fans of the group and their work.

Profiling the group is interesting as their pattern seems to be higher and higher stakes with more involvement and taunting from the group. We expect to seem additional communication from them as they continue to look for more and more acknowledgement of their accomplishments. This may even involve direct contact with the press at some point so they can actually insert themselves into the conversation and feel like they are part of the narrative.

For the companies that have been compromised by the group, they need to cooperate with each other and identify the attack patter and logistics behind each. There is sure to be an identifier that exists in each of the breaches that can be used to shore up defenses against the group and possibly even set a trap to identify one or more members. For now, we expect to hear about more compromises and more data that Lapsus$ has collected before things slow down.


Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.