[German]A few hours ago, I reported in the commodity Lapsus$ hacker group debunked? Teenager from Britain and Brazil suspected? that security researchers believe they have uncovered the mastermind of the LAPSUS$ gang. Information technology has now been revealed that British police have arrested seven teenagers in connection with the LAPSUS$ gang’s activities.
The Lapsus$ group has only been causing a furore with spectacular hacks since the starting time of 2022 (the group beginning appeared in fall 2021). Nvidia, Samsung, Microsoft, Okta are names of companies that announced as victims of hacks in this context. I accept reported on the hacks of the Lapsus$ group several times in recent days – see links at the terminate of the article.
In this article, Microsoft explains at some length how the Lapsus$ attackers (called DEV-0537 there) proceed when hacking companies and organisations. Four security researchers have investigated a series of attacks past the Lapsus$ hacker group on technology companies, including Microsoft Corp. and Nvidia Corp. on behalf of the companies under assault. The cyber researchers used forensic prove from the hacks as well as publicly available information to notice out and name the perpetrators. I had reported the details in the commodity $ hacker group debunked? Teenager from United kingdom and Brazil suspected?
Arrests in Great britain
The BBC reports in this article, which came to my attending via the following tweet, that vii teenagers accept been arrested in connectedness with the activities of the LAPSUS$ gang.
Among them is probably the at present 17-year-quondam teenager who lives about Oxford and is considered the mastermind of the LAPSUS$ gang. The teenager, who is said to have looted 14 million dollars (x.6 million euros) through hacking, was exposed by rival hackers and security researchers.
Under his online name “White” or “Breachbase”, the teenager, who suffers from autism, is said to exist a member of the hacker group Lapsus$, which also appears to accept members in South America. City of London constabulary say they accept arrested vii teenagers in connection with the LAPSUS$ gang, but will not say whether White is one of those arrested.
Seven people aged betwixt sixteen and 21 have been arrested in connection with the investigation into a hacking group. They have all been released nether investigation. Our investigation is still ongoing.
The teenager, whose name cannot be given by the BBC for legal reasons, attends a special school in Oxford, according to the article above. The teenager’south mother, who was contacted past reporters, claims to have been unaware of the activities. The boy’s father, who I understand lives separately from his mother, told the BBC: “I had never heard of it until recently. He’s never talked about hacking, just he’due south very computer literate and spends a lot of time on the calculator. I always idea he was playing games.
Merely it may as well be a protective claim, because one doxing site says that the male parent must take been aware in conversations that the son is a hacker. Now the father wants to try to keep the male child away from the computer. According to my data, however, the police had been on the trail of the group for some time and possibly reacted at present to the publication of the information about the hacker.
Findings from Palo Alto Networks
I have received some more information from Palo Alto Networks that rounds out the picture on the LAPSUS$ gang. Their security researchers are amazed that this threat actor has gone from a handful of subversive attacks to stealing and publishing source code from several leading technology companies in just a few months..
No ransomware grouping
I find the nomenclature of the grouping interesting, as I had read indications that ransomware had also been used. Palo Alto Networks writes that Lapsus$ is sometimes referred to in reports equally a ransomware grouping, which is distinguished past the fact that information technology does not apply ransomware in extortion attempts.
In today’s environment, threat actors favour the employ of ransomware to encrypt data and systems, often extorting victims for significant amounts of cryptocurrency in substitution for decryption keys, sometimes increasing the pressure by threatening to release stolen data. However, Lapsus$ is unusual in its approach – for this group, notoriety rather than financial gain seems to exist the goal.
Social engineering science every bit leverage
Unit 42 has helped organisations respond to several Lapsus$ attacks. The Lapsus$ group, according to Palo Alto Networks. does not deploy malware in victim environments, does not encrypt data and, in well-nigh cases, does non use extortion. They focus on using a combination of stolen credentials and social engineering to gain access to victims. Security researchers have also seen them ask employees on Telegram for their credentials at specific companies in industries including: Telecoms, software, gaming, hosting providers and call centres. However, this was all previously known.
Damages can be high
Even so, the group’s attacks and release of stolen data tin be very damaging even without blackmail. In improver, the security researchers and forensic experts have seen destructive Lapsus$ attacks where the actors gained access to a visitor’s cloud surroundings, wiped systems and destroyed over a thousand virtual machines.
Summary of Unit 42 findings
In that location are no public indicators of compromise (IoCs) and no tactics, techniques and procedures (TTPs) unique to the Lapsus$ Gang. Withal, security researchers have created a summary of what is known virtually this threat actor to enable defenders. The goal should be to better understand attacks and mitigate the threat (from like attacks). Recent publicly known victims accept included:
However, there are additional (presumably many more) victims who have been the target of attacks, but this has non been publicised. The Dec 2021 attack on the Ministry of Health in Brazil was not widely discussed here on the blog or in the media. Nor did I accost the attack on the Portuguese media company Impresa here on the blog – there are simply too many hacks, vulnerabilities and ransomware cases every twenty-four hours. Security researchers commencement observed Lapsus$ in mid-2021, and the beginning attack activity nether this name took place in Baronial 2021, when some British mobile phone customers reported receiving threats.
Information technology is likely that some victims are non the intended terminate target, but rather are breached to gain access to their customers or to help bypass multi-cistron authentication (MFA), for example. In this regard, Unit of measurement 42 has observed this actor’s involvement in vishing, SIM swapping and soliciting 3rd parties from providers for insider access. The breach of authentication service Okta is used as evidence to back up this theory, as the threat role player
stated on the Lapsus$ group’s Telegram aqueduct: “… our focus was Simply on Okta customers.”
The key takeaway is that because the grouping uses a variety of techniques for attacks, no single technique tin protect against Lapsus$ or detect its attacks. For this reason, the security researchers recommend that companies focus on following general data security all-time practices. And there seems to be a lot incorrect with that, seeing that some teenagers were able to use financial enticements and tricks to suspension into the Information technology systems of well-known companies such as Microsoft or the authentication service Okto.
Unit of measurement 42, together with researchers from Unit of measurement 221b, identified the main actor behind the Lapsus$ Group nickname in 2021 and assisted law enforcement agencies in their efforts to prosecute this group. The summary in English language, enriched with many screenshots of the group, was published by Palo Alto Networks in this article.
Ubisoft hacked past Lapsus$ cyber gang (March 2022)
Cyber attacks on Nvidia and McDonalds (Feb. 25, 2022)
Samsung bestätigt Hack, Quellcodes durch Lapsus$ geleakt
Lapsus$ allegedly publishes source code of Microsoft Azure, Bing and Cortana
Authentication service OKTA hacked by Lapsus$?
Lapsus$ hacks: statements from Okta and Microsoft
Lapsus$ hacker group debunked? Teenager from Britain and Brazil suspected?