Threat actors going by “Medusa” have posted a new database on their leak site, claiming it contains data from Microsoft including source code for Bing and Cortana.
Found by Emsisoft researcher Brett Callow, the announcement says embedding the source code could trick antivirus products into confusing malware with Microsoft-made programs.
"This leak is of more interest to programmers, since it contains the source codes of the following Bing products, Bing Maps and Cortana," the announcement reads. "There are many digital signatures of Microsoft products in the leak. Many of them have not been recalled. Go ahead and your software will be the same level of trust as the original Microsoft product."
While the announcement did raise red flags all around, no threat analysts have yet confirmed the authenticity of Medusa’s claims, so the files might be bogus for all we know.
"At this point, it's unclear whether the data is what it's claimed to be," Emsisoft's Callow told The Register. "Also unclear is whether there's any connection between Medusa and Lapsus$ but, with hindsight, certain aspects of their modus operandi does have a somewhat Lapsus$ish feel."
A year ago, a threat actor called Lapsus$ announced breaking into Microsoft’s endpoints and stealing roughly 37GB of sensitive data, including the source code for Bing and Cortana. Soon afterward, Microsoft confirmed the breach but stated “no customer code or data” being taken. "Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk," the Redmond giant explained at the time.
Thus, Callow could be suggesting that the attackers were just re-leaking what was already stolen a year ago.
Medusa is a ransomware operator that rose to infamy after breaching the Minneapolis Public Schools (MPS) district and demanding $1 million in exchange for the decryption key. Given that MPS’ data was leaked to the dark web soon after, it’s safe to assume that the negotiations fell through.
- Here's our list of the best firewalls right now
Via: The Register