As of Friday, April 1st, 2022 the City of London Police have arrested 9 young individuals, ranging in ages between 16 and 21, in association with a malicious hacker group. According to Detective Inspector Michael O’Sullivan, two of the teens have been charged with "unauthorized access to computers with the intent to impair the reliability of data; one count of fraud by false representation and one count of unauthorized access to a computer with intent to hinder access to data." Additionally, one of the 16-year-old teens has also been charged with "one count of causing a computer to perform a function to secure unauthorized access to a program."
One of the first to be arrested is the suspected 16-year-old ringleader of the group. Through the extortion activities associated with this band of misfits, he's managed to net himself about $14 million in Bitcoin. A sum you might say is enough for lunch money at school for a long while. When asked about his extracurricular activities, his parents were completely unaware of what he was up to. According to the boy's father, "He's never talked about any hacking, but he is very good on computers and spends a lot of time on the computer. I always thought he was playing games."
What's the name of this group of miscreants that's been stirring up all this trouble lately? Well, they are known as Lapsus$. The group first caught the eye of the cybersecurity community just a few months ago, but they are determined to make as many waves as possible. Their focus is on large recognizable companies with the intent of making a name for themselves. The group aims to do this by gaining access to the target company's network by any means necessary and grabbing as much sensitive or proprietary data as they can before getting shut out. Lapsus$ then proceeds to extort the victim company by threatening to release the stolen data publicly unless a ransom is paid. Some of the names that have been hit so far are Nvidia, Samsung, and Vodafone. Though Lapsus$ has really managed to draw attention to themselves with two of their most recent attacks, Okta and Microsoft.
Okta is a widely used identity and access management company that provides businesses with secure authentication services to their applications and services. On March 22nd, after Lapsus$ published screenshots showing they had broken in, Okta admitted (though initially downplayed the severity) that an intrusion into their systems had taken place. The attackers had managed to stay inside their network for five days before they were locked out. The breach began on January 16th when Lapsus$ managed to gain control of a device that belonged to a support engineer that worked for a third-party service provider. Once they had access to the device, Lapsus$ had remote access to any information the support engineer could have accessed. According to Okta, log analysis showed the attackers had possibly accessed data belonging to approximately 2.5% of their customers. With almost 15,000 customers doing business with Okta, that's 366 customers potentially impacted by this breach.
However, Okta wasn't the only breach by Lapsus$ to come to light. That same day Microsoft confirmed a breach of their own by the same group. According to a blog post from Microsoft, a single account had been compromised which provided the attackers with limited access to some of their source code. The post goes on to state that no customer code or data was involved, and that "Microsoft does not rely on the secrecy of code as a security measure." Microsoft's confirmation coincided with a downloadable archive posted by the Lapsus$ group. The contents of the archive contained around 90% of the source code to Microsoft Bing Maps and 45% of the source code to Cortana and the Bing search engine.
So how do a bunch of teenagers gain access to some of the biggest names in technology? Well unsurprisingly, it's the humans that are the weak link that Lapsus$ likes to exploit. They'll bribe employees of a target organization, or the employees of one of its business partners. The group isn't shy about it either, making public posts asking for credentials and offering as much as $15,000 for internal network access to their target. Email accounts of remote workers will be targeted with phishing attempts specifically designed to trick employees into revealing their VPN credentials. The kids from
Lapsus$ will even do their homework and find out the answer to an employee's security questions, such as "What's your mother's maiden name"? or "What street did you grow up on?" before calling a target organization's help desk to impersonate an employee asking for a password reset.
Lapsus$ group has also been observed making use SIM swapping, where attackers trick a mobile carrier to transfer a target's mobile phone number to another device in control of the attackers. In short, they steal the phone number from your phone. This permits the attackers to intercept any one-time passwords sent via SMS as part of a multifactor authentication process.
If you want to protect yourself from Lapsus$, or anyone else trying to pull off the same tricks, you have to be vigilant. Good security policies and procedures are essential. Human beings are what's predominately being exploited here, so make sure your security training program is up to snuff. Practice the principle of least privilege by knowing who has access to what and not giving employees access to systems they don't need. And of course, good password hygiene is always essential, along with a strong multifactor authentication implementation. i.e. Don't use SMS for MFA. While anything is better than nothing, using text messages to receive one-time passwords has been considered to be insecure for a few years now. It suffers from the SIM swapping attack mentioned above. Text messages are not encrypted and can be intercepted out of the air by off-the-shelf hardware. And lastly, it's dependent on being able to receive the text message, so make sure you have enough bars if you want to be able to log in!