A cybercrime gang referred to as Lapsus$ is tearing by tech giants around the globe.
In the previous couple of months alone, the group has claimed the scalps of Nvidia, Ubisoft, Samsung, Okta, and Microsoft.
Their brazen techniques have attracted a big following — and a few highly effective enemies.
Right here’s what we all know in regards to the digital extortionists.
Who’re the Lapsus$ hackers?
Lapsus$ first hit the headlines last December after taking credit score for an assault on Brazil’s well being ministry.
The group posted a message on the ministry’s web site:
The inner knowledge of the methods had been copied and deleted. 50 Tb of information is in our arms. Contact us if you’d like the information again.
The group confirmed an early desire for Portuguese-speaking targets — and an obvious want for consideration.
In a January assault on one among Portugal’s largest media conglomerates, the hackers sent a false news alert that learn:
Breaking: President eliminated and accused of homicide: Lapsus$ is Portugal’s new president.
The group has despatched messages in Brazilian Portuguese and is believed to function out of South America.
Nonetheless, representatives within the gang’s Telegram channel — which has attracted over 45,000 subscribers — usually converse English. One Lapsus$ member was allegedly doxxed as a 16-year-old-boy dwelling within the UK.
Whereas the gang’s assaults are frequent and their victims high-profile, their techniques have been described as amateurish.
The LAPSUS$ ransomware group look like extremely inexperienced with OPSEC. They posted their message boasting about entry to Microsoft’s inside DevOps atmosphere *whereas nonetheless exfiltrating supply code*. We will inform by wanting on the timestamp of the recordsdata of their leak. 🤦♂️ https://t.co/NaU38cypUw pic.twitter.com/AryXJS12A1
— Invoice Demirkapi @ ShmooCon (@BillDemirkapi) March 22, 2022
“This group seems to be a younger and inexperienced group who’re struggling to really obtain any funds for all of this extortion work,” researchers at Silent Push, a risk intelligence agency, wrote in a blog post.
What are their techniques?
Lapsus$ is regularly described as a ransomware group, however its strategies are extra akin to knowledge extortion.
Microsoft said gang members use “a pure extortion and destruction mannequin with out deploying ransomware payloads.”
They usually give attention to compromising consumer identities to entry a company.
These credentials allow them to entry company methods and steal precious knowledge, which they use to extort the sufferer.
In addition they goal organizations by recruiting firm staff who can present entry to delicate knowledge. Lapsus$ has offered payments for insider access on the group’s Telegram channel.
The group’s other suspected methods embrace DNS spoofing assaults, SIM-swapping, and phishing campaigns.
Who’re their targets?
The group’s early give attention to Portuguese-language organizations has now expanded globally.
The current targets embrace American GPU big Nvidia, French gaming writer Ubisoft, and South Korean tech titan Samsung.
The newest sufferer is authentication agency Okta.
Within the Lapsus$ Telegram channel, members shared screenshots that confirmed Okta’s inside methods.
The LAPSUS$ ransomware group has claimed to breach Okta sharing the next photos from inside methods. pic.twitter.com/eTtpgRzer7
— Invoice Demirkapi @ ShmooCon (@BillDemirkapi) March 22, 2022
After initially being accused of downplaying the breach, Okta revealed that as much as 366 of its purchasers had been affected.
In a collection of blog posts, Okta’s Chief Safety Officer, David Bradbury, stated the hackers had compromised the methods by remotely accessing the pc of a third-party engineer.
Whereas Bradbury advised prospects that no corrective actions had been vital, Okta’s response has been criticized. Shares within the firm fell 10.5% on Wednesday, Reuters reports.
How can we keep protected?
The Lapsus$ crime spree has left many organizations fearful that they’ll be the following targets. For those who’re one among them, Microsoft has this recommendation:
- Strengthen MFA implementation.
- Require wholesome and trusted endpoints.
- Leverage trendy authentication choices for VPNs.
- Strengthen and monitor your cloud safety posture.
- Enhance consciousness of social engineering assaults.
- Set up operational safety processes in response to DEV-0537 intrusions.
Cloudflare, in the meantime, has provided advice to Okta customers who could have been affected by the breach.
The following pointers could have come too late for some Lapsus$ victims, however the gang has absolutely now develop into a prized scalp for cyber cops.
