Cybersecurity Snapshots #29 - The LAPSUS$ Hacking Group

Cybersecurity Snapshots #29 -

The LAPSUS$ Hacking Group

LAPSUS$ has been in the news a lot lately. The cybercrime group first surfaced in December 2021 with an extortion demand on Brazil's Ministry of Health. Even though LAPSUS$ is a relatively new cybercrime group, it has hit big companies, including Microsoft, Okta, Ubisoft, Nvidia, Samsung, and Vodafone.

During the data breach of Microsoft, LAPSUS$ claimed to have stolen source code for Bing, Cortana, and internal Microsoft projects from a server. LAPSUS$ released a torrent containing 37GB of source code for around 250 projects. The group claimed the data includes 90 percent of Bing's source code and 45 percent of Cortana and Bing Maps code. Other affected projects included websites, mobile apps, and web-based infrastructure. The leaks reportedly contain internal emails and documentation related to published mobile apps. The torrent is not believed to include code for desktop software such as Windows or Microsoft Office. During the data breach of Samsung, LAPSUS$ was able to steal various source codes. The source codes involved in the incident are related to the operation of the company's Galaxy devices. LAPSUS$ published 190GB of confidential data it claimed had been exfiltrated from the tech company. The published data reportedly contained source codes and biometric unlocking algorithms linked to Samsung and source code belonging to American multinational technology corporation Qualcomm. During the breach at Nvidia, LAPSUS$ claimed to have stolen 1TB of data, including all the silicon, graphics, and computer chipset files "for all recent Nvidia GPUs." Security researchers at Microsoft have stated that while it may be tempting to dismiss LAPSUS$ as an immature and fame-seeking group, their tactics should make anyone in charge of corporate security sit up and take notice.

Microsoft's security researchers discovered that LAPSUS$ mostly gains illicit access to targets via "social engineering." This involves bribing or tricking employees at the target organization or its myriad partners, such as customer support call centers and help desks. The researchers found instances where the group successfully gained access to target organizations through recruited employees. The LAPSUS$ Telegram channel has grown to more than 45,000 subscribers, and Microsoft found an ad they posted there offering to recruit insiders at major mobile phone providers, large software and gaming companies, hosting firms, and call centers. After further investigation, it was found that LAPSUS$ has been recruiting insiders via multiple social media platforms since at least November 2021. One of the core LAPSUS$ members who used the nicknames "Oklaqq" and "WhiteDoxbin" posted recruitment messages to Reddit last year, offering employees at AT&T, T-Mobile, and Verizon up to $20,000 a week to perform "inside jobs." Many of LAPSUS$'s recruitment ads are written in both English and Portuguese. According to researchers at Flashpoint, LAPSUS$ currently does not operate a clearnet or darknet leak site or traditional social media accounts. LAPUSUS$ instead uses Telegram and email. The researchers stated that the individuals behind the group are likely experienced and have demonstrated in-depth technical knowledge and abilities. The group has claimed it is not state-sponsored.

Security researchers at Digital Shadows stated that little is known of the group's origins. However, given that LAPSUS$'s initial activity was directed toward several organizations in Brazil, some researchers have speculated that the group is based in South America. The London police recently stated that seven people between the ages of 16 and 21 had been arrested in connection with an investigation into a hacking group. One of the individuals, a 16 year old from Oxford, was arrested and accused of being one of the leaders of the cybercrime gang. The 16-year-old used an online moniker "White." Unit 221B working with Palo Alto after identifying the actor, watched him on his exploits throughout 2021, periodically sending law enforcement a heads-up about the latest crimes. The researchers tracked "White" through a trail of activity linked through a nearly unbroken stream of the boy's online accounts. The researchers stated that the trail was followed thanks to mistakes "White" made in failing to cover his tracks. During the arrest of the seven people, LAPSUS$-related cybercrime activities continued with the leak of some 70GBytes of data allegedly purloined from software development company Globant. The mystery of who, what, and where the LAPSUS$ kingpins are located has deepened.

Security researchers stated that the critical thing to remember is that the LAPSUS$ attacks, along with many others, rely at least in part on ongoing attempts to trick, persuade, or bribe insiders into granting remote access. So, organizations should do a better job at vetting employees before they are hired, and organizations need to do a better job at training staff. Organizations should also have a fast, simple way for staff to report security anomalies to the proper in-house security experts. LAPSUS$ does not give up if their first attempt to break in fails, so the sooner an employee in a company feels empowered to say something, the sooner everyone can be warned and protected. Researchers noted that if employees do not feel like they can say anything, then the adversaries get a free pass to try to sneak in repeatedly.