16 comments

[ 2.3 ms ] story [ 41.0 ms ] thread
That group has been trying to buy Microsoft employee credentials. Maybe they found a seller.
Maybe now people will understand why local user accounts are important... who am I kidding things are just going to keep getting worse.
There isn't really more details there though.
The screenshot is not cropped and it has a list of the projects affected in the article. I agree the information is still sparse.
Sure. But the list of projects is for 1 Azure Devops organization and the list appear to be in alphabetical order and showing B to C. Also it looks a bit like the logged on user only has access to one of the projects (at least it's only showing icons for one of them).
Once a threat actor has access to internal, less hardened systems, it is a matter of time until they have access to everything. In this case it’s a matter of privilege escalation at best and RCE at worst, no lateral movement required unless it’s easier to escalate directly in the IdP system or as a MitM between the IdP and the service in the screenshot.
My point was that so far every little information has been shared.

I have no idea what your point is. Also not sure if what you mean by "internal system" here. I can also log on to Azure Devops service (it public), but that doesn't mean I can access windows source code.

Twitter is such a terrible medium for communicating more than a headline!
In this particular case there is nothing to communicate that doesn't fit nicely in a tweet.

Only way you could stretch this into an article beyond a headline is by bundling a bunch of unnecessary bullshit.

Perhaps there'll be a comment from Microsoft, they won't say anything useful beyond "No customer information was accessed"

This happens on an almost yearly basis. Source code for ~all major windows releases is actively traded. (Same also goes for Apple, Cisco, etc...) Protecting source code that a huge amount of employees need access to is hard.

Previous public example: https://www.bbc.co.uk/news/technology-40366823

Many exploit devs have access to this stuff, but would obviously never publicly discuss it, fearing leaks and liability.

Keeping an OS private is virtually impossible, for the most part every engineer has access to every piece, so any intrusion is also likely access to current OS source.

Rumors out of Google were a bit different about their search algorithm which may be comparable to a leak of bing code.

If I base on the list, it seems that it was their California branch that was breached. No meaningful Azure or Windows source code was listed (which is hosted in Redmond) and a lot of Bing and Cortana ones (which are primarily developed in California).

Although source code leakage is bad, it should be noted that most governments already has copies of the Windows and Office source code access through legitimate means (Source Sharing agreements).

Microsoft’s threat model operates on the idea that its source code is not protected.