March 27, 2022

The LAPSUS$ Group

 

Microsoft and Okta have this week disclosed breaches involving the data extortion group ‘LAPSUS$’. This group first surfaced in December 2021 when attempting to extort Brazil’s Ministry of Health, but has recently made headlines again after claiming they were behind the NVIDIA, Samsung, and Vodafone hacks. The group announced it was released Microsoft source code, but Microsoft announced it was able to interrupt the group’s download before it could finish and thus limited the broader impact. Apparently, no customer data was involved, and the attack was launched through a single account compromise which granted the group limited access. Microsoft states they do not rely on secret code, and a release or viewing of source code does not lead to elevated organisation risk.

LAPSUS$ mainly gains illicit access to targets through social engineering by tricking or bribing employees or partners of the organisations they’re targeting, including customer support employees. Microsoft refers to the group as “DEV-0537”, and they found the group is bribing willing accomplices to provide their credentials and authentication information or allow the installation of remote management software so the hackers can take control of authenticated systems.

LAPSUS$ Group Hacker Code

The group has its own Telegram channel with over 45,000 subscribers and the hackers actively recruit insiders at large telcos, software companies, hosting firms, and call centres in this channel and through other social media channels such as Reddit. Some employees are being offered up to $20,000 a week. LAPSUS$ claims it is not state-sponsored, but the individuals are clearly highly experienced and have a wide range of technical knowledge.

The attackers have targeted personal accounts, which are typically used for second-factor authentication or password recovery, to gain access to corporate systems or gain additional credentials. In other scenarios, LAPSUS$ has called an organisation’s help desk and convinced personnel to reset a privileged account’s credentials. As many organisations outsource their help desk support, the group is actively exploiting these relationships to help gain access to corporate systems.

The group has also used SIM swapping to access privileged accounts at target companies. The attackers bribe or trick mobile company employees into transferring a phone number to their device so they can then intercept one-time passwords or prompt a password reset via SMS. LAPSUS$ has also searched public repositories for exposed passwords, purchased credentials and session tokens from online forums, and made use of the “Redline” malware to steal passwords.

It appears a member of the group was also involved in the breach on Electronic Arts (EA) last year where 780GB of source code was supposedly held at ransom. This attack was achieved by buying authentication cookies for an EA Slack channel from a marketplace on the dark web.

‘WhiteDoxbin’ is the supposed leader of the group who started out trading zero-day vulnerabilities. Last year they purchased Doxbin, a website that allows personal information of individuals to be posted. Apparently, the new owner was not able to keep the site functioning properly, and has been targeted by the site’s users as a result. Since then, they have sold the forum back to its previous owner for a loss, but not before leaking the whole Doxbin dataset via its Telegram channel. The site’s users again responded by providing a thorough dox of ‘WhiteDoxbin’ – including videos outside a house in the UK and the personal information of family members.

Recent developments include 7 people in the UK being arrested in connection to the hacking group, according to the City of London Police.

No comments:

Post a Comment