The Digital Lapsus$ The extortion group is the latest to stage a high-profile data theft attack against major tech companies. And among other things, the group is known for grabbing and leaking source code at every opportunity, including from Samsung, Qualcomm and Nvidia. In late March, along with the revelations that they had breached an Okta processor, hackers also leaked a trove of data containing parts of the source code for Microsoft’s Bing, Bing Maps and its Cortana virtual assistant. Sounds bad, right?
Businesses, governments and other institutions have been plagued by ransomware attacks, compromise of business emails and a range of other breaches in recent years. However, researchers say that while a source code leak may seem catastrophic, it certainly isn’t goodthey are usually not the worst case scenario for a criminal data breach.
“Some source code is indeed trade secrets, some parts of source code may make it easier for people to abuse systems, but accounts and user data are usually the biggest things that companies need to protect,” said Shane Huntley, director of Google Threat Analysis Group. “For a vulnerability hunter, it makes certain things easier, allowing them to skip a lot of steps. But it’s not magic. Just because someone can see the source code doesn’t mean they can use it right then.
In other words, when attackers gain access to source code—and especially when they leak it for all to see—a company’s intellectual property can be exposed in the process, and attackers may be able to spot vulnerabilities in their systems more quickly. . But the source code itself is not a road map for finding exploitable bugs. Attackers cannot hijack Microsoft’s Cortana or gain access to user accounts simply because they have a piece of the source code for the platform. In fact, as open source software shows, it is possible to make the source code publicly available without making the underlying software less secure.
Google’s Huntley points out that the same broad and varied vetting needed to secure open source software is also vital for critical proprietary source code, just in case it’s ever stolen or leaked. And he also notes that major vulnerabilities in open source software, such as the recent Log4j flaws, have often hid undetected for years or even decades, like imperceptible typos that aren’t caught by an author, editor, or editor. .
Microsoft detailed its Lapsus$ breach on March 22 and said in a statement that “Microsoft does not rely on code secrecy as a security measure, and viewing the source code does not increase the risk.”
