Microsoft investigates Lapsus$'s boasts of Bing, Cortana code heist

Updated The Lapsus$ extortion gang briefly alleged over the weekend it had compromised Microsoft.

The devil-may-care cyber-crime ring has previously boasted of breaking into Nvidia, Samsung, Ubisoft, and others. Its modus operandi is to infiltrate a big target's network, exfiltrate sensitive internal data, and then make demands to prevent the public release of this material – and perhaps just release some of it anyway.

"We are aware of the claims and are investigating," a Microsoft spokesperson told The Register on Monday.

On Saturday and Sunday, the crooks shared then deleted on Telegram screenshots suggesting they had broken into Microsoft's internal DevOps environment, as spotted by infosec bod Dominic Alvieri. The screenshot shows internal projects including Bing and Cortana's source code, and ​​WebXT compliance engineering projects.

"Normally you wouldn’t give credibility to a snapshot," tweeted Alvieri, "but Lapsus has breached Samsung, Impresa, Mercado Libre, Ubisoft, and Nvidia." The researcher said Microsoft and Vodafone have allegedly been hit, adding that the brag about the Windows giant seems "credible so far and reputation is at stake."

If the screenshots are legit, this would be a major security breach for the American IT titan. There's the potential for miscreants to find and exploit security holes in the code, should they get their hands on it. Perhaps Microsoft should have fought a little harder for Mandiant before Google scooped it up for $5.4bn.

• Devil-may-care Lapsus$ gang is not the aspirational brand infosec needs
• Lapsus$ extortionists dump Samsung data online, chaebol confirms security breach
• Leaked stolen Nvidia key can sign Windows malware
• CISOs face 'perfect storm' of ransomware and state-supported cybercrime

The suspected Microsoft intrusion follows a series of high-profile sorties by Lapsus$, which, until recently, was best known for meddling with Brazil's Ministry of Health and Portuguese media outlets SIC Noticias and Expresso.

That all changed in February when the gang, believed to be based in Brazil, sneaked into Nvidia's networks and stole one terabyte of data including employee credentials and proprietary information, and dumped some of it online.

Days later Lapsus$ raided Samsung and stole 190GB of internal files including some Galaxy device source code. 

The criminal group followed that up by claiming it was responsible for a cybersecurity incident at gaming giant Ubisoft, and it's reportedly behind a Vodafone security breach as well. Earlier this month, the telco said it was probing Lapsus$'s claims that it stole 200GB worth of source code.

"We are investigating the claim together with law enforcement, and at this point we cannot comment on the credibility of the claim," a Voda spokesperson told CNBC. "However, what we can say is that generally the types of repositories referenced in the claim contain proprietary source code and do not contain customer data."  ®

Updated to add at 0400 UTC

Lapsus$ has claimed on its Telegram channel tonight that it has leaked in a downloadable 9GB archive file most of the Bing Maps source code, and about half of the Bing and Cortana code, totaling more than 250 internal Microsoft projects. The gang also claims to have compromised LG Electronics for the second time in a year, and access management biz Okta, to some degree.