The Lapsus$ hacking group stole T-Mobile’s source code in a series of breaches that took place in March, as first reported by Krebs on Security. T-Mobile confirmed the attack in a statement to The Verge, and says the “systems accessed contained no customer or government information or other similarly sensitive information.”
In copies of private messages obtained by Krebs, the Lapsus$ hacking group discussed targeting T-Mobile in the week prior to the arrest of seven of its teenage members. After purchasing employees’ credentials online, the members could use the company’s internal tools — like Atlas, T-Mobile’s customer management system — to perform SIM swaps. This type of attack involves hijacking a target’s mobile phone by transferring its number to a device owned by the attacker. From there, the attacker can obtain texts or calls received by that person’s phone number, including any messages sent for multi-factor authentication.
According to screenshotted messages posted by Krebs, Lapsus$ hackers also attempted to crack into the FBI and Department of Defense’s T-Mobile accounts. They were ultimately unable to do so, as additional verification measures were required.
“Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software,” T-Mobile said in an emailed statement to The Verge. “Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete.”
T-Mobile has been the victim of several attacks over the years. Although this particular hack didn’t affect customers’ data, past incidents did. In August 2021, a breach exposed the personal information belonging to over 47 million customers, while another attack occurring just months later compromised “a small number” of customer accounts.
Lapsus$ has made a name for itself as a hacking group that primarily targets the source code of large technology companies, like Microsoft, Samsung, and Nvidia. The group, which is reportedly led by a teenage mastermind, has also targeted Ubisoft, Apple Health partner Globant, and authentication company Okta.
A newly discovered vulnerability in Microsoft Office is already being exploited by hackers linked to the Chinese government, according to threat analysis research from security firm Proofpoint.
Details shared by Proofpoint on Twitter suggest that a hacking group labeled TA413 was using the vulnerability (named “Follina” by researchers) in malicious Word documents purported to be sent from the Central Tibetan Administration, the Tibetan government in exile based in Dharamsala, India. The TA413 group is an APT, or “advanced persistent threat,” actor believed to be linked to the Chinese government and has previously been observed targeting the Tibetan exile community.
In general, Chinese hackers have a history of using software security flaws to target Tibetans. A report published by Citizen Lab in 2019 documented extensive targeting of Tibetan political figures with spyware, including through Android browser exploits and malicious links sent through WhatsApp. Browser extensions have also been weaponized for the purpose, with previous analysis from Proofpoint uncovering the use of a malicious Firefox add-on to spy on Tibetan activists.
The Microsoft Word vulnerability first began to receive widespread attention on May 27th, when a security research group known as Nao Sec took to Twitter to discuss a sample submitted to the online malware scanning service VirusTotal. Nao Sec’s tweet flagged the malicious code as being delivered through Microsoft Word documents, which were ultimately used to execute commands through PowerShell, a powerful system administration tool for Windows.
In a blog post published on May 29th, researcher Kevin Beaumont shared further details of the vulnerability. Per Beaumont’s analysis, the vulnerability let a maliciously crafted Word document load HTML files from a remote webserver and then execute PowerShell commands by hijacking the Microsoft Support Diagnostic Tool (MSDT), a program that usually collects information about crashes and other problems with Microsoft applications.
According to Microsoft’s own security response blog, an attacker able to exploit the vulnerability could install programs, access, modify, or delete data, and even create new user accounts on a compromised system. So far, Microsoft has not issued an official patch but offered mitigation measures for the vulnerability that involve manually disabling the URL loading feature of the MSDT tool.
Due to the widespread use of Microsoft Office and related products, the potential attack surface for the vulnerability is large. Current analysis suggests that Follina affects Office 2013, 2016, 2019, 2021, Office ProPlus, and Office 365; and, as of Tuesday, the US Cybersecurity and Infrastructure Security Agency was urging system administrators to implement Microsoft’s guidance for mitigating exploitation.
Mailchimp, the veteran email marketing platform, has confirmed that hackers used an internal tool to steal data from more than 100 of its clients — with the data being used to mount phishing attacks on the users of cryptocurrency services.
The breach was confirmed to the press by Mailchimp on Monday, but it had come to light over the weekend when users of the Trezor hardware cryptocurrency wallet reported being targeted by sophisticated phishing emails.
MailChimp have confirmed that their service has been compromised by an insider targeting crypto companies.
We have managed to take the phishing domain offline. We are trying to determine how many email addresses have been affected. 1/
In a statement sent to The Verge, Mailchimp CISO Siobhan Smyth said that the company had become aware of the breach on March 26th when it detected unauthorized access of a tool used by the company’s customer support and account administration teams. Although Mailchimp deactivated the compromised employee accounts after learning of the breach, the hackers were still able to view around 300 Mailchimp user accounts and obtain audience data from 102 of them, Smyth said.
“We sincerely apologize to our users for this incident and realize that it brings inconvenience and raises questions for our users and their customers,” Smyth said. “We take pride in our security culture, infrastructure, and the trust our customers place in us to safeguard their data. We’re confident in the security measures and robust processes we have in place to protect our users’ data and prevent future incidents.”
However, details of the hack show that the compromise of Mailchimp’s internal tools was just one piece in a bigger puzzle. As Bleeping Computer reports, one of the stolen email lists was used to send a fake data breach notification to Trezor customers, prompting them to download a new version of the Trezor Suite desktop application. In fact, the email directed users to a phishing site that hosted a fake version of the application, designed to steal the seed phrase that would allow hackers to gain total control over a user’s cryptocurrency wallet. It’s currently unclear whether any Trezor users had funds stolen by the attack.
In a blog post published Monday, Trezor said that the attack was “exceptional in its sophistication and … clearly planned to a high level of detail,” with the cloned version of the Trezor Suite app presenting a realistic functionality to anyone who installed it. SatoshiLabs, the makers of the Trezor wallet, have not yet responded to further questions sent by The Verge.
So far, Mailchimp’s analysis has concluded that the attackers focused on obtaining data from users in the cryptocurrency and finance sectors. Unfortunately for Trezor users — and for customers of every other organization whose data was compromised — it’s safe to say that a skilled threat actor now has knowledge of the users’ email contact details and potentially the type of crypto hardware and software they are using.
Users of Trezor devices have been advised to report any new phishing attempts directly to email@example.com. Mailchimp has stated that the owners of all other compromised accounts have been informed, so more notifications from affected entities will likely appear soon.
Around 4:30AM ET on Friday, the official Discord channel for OpenSea, the world’s largest NFT marketplace, joined the growing list of NFT communities that have exposed participants to phishing attacks.
In this case, a bot made a fake announcement about OpenSea partnering with YouTube, enticing users to click on a “YouTube Genesis Mint Pass” link to snag one of 100 free NFTs with “insane utility” before they’d be gone forever, as well as a few follow-up messages. Blockchain security tracking company PeckShield tagged the URL the attackers linked, “youtubenft[.]art” as a phishing site, which is now unavailable.
While the messages and phishing site are already gone, one person who said they lost NFTs in the incident pointed to this address on the blockchain as belonging to the attacker, so we can see more information about what happened next. While that identity has been blocked on OpenSea’s site, viewing it via Etherscan.io or a competing NFT marketplace, Rarible, shows 13 NFTs were transferred to it from five sources around the time of the attack. They’re now also reported on OpenSea for “suspicious activity” and, based on their prices when last sold, appear to be worth a little over $18,000.
This kind of intermediary attack in which scammers exploit NFT traders who are looking to capitalize on “airdrops” has become common for prominent Web3 organizations. It’s common for announcements to appear out of the blue, and the nature of the blockchain may give some users reasons to click first and consider the consequences later.
Beyond the desire to snag rare items, there’s the knowledge that waiting can make minting your NFT amid a rush much slower, more expensive, or even impossible (if you run out of funds during the process). If they’ve left any items or cryptocurrency in their hot wallet that’s connected to the internet, then coughing up login details to a phisher could give them away in seconds.
In a statement to The Verge, OpenSea spokesperson Allie Mack confirmed the incident, saying, “Last night, an attacker was able to post malicious links in several of our Discord channels. We noticed the malicious links soon after they were posted and took immediate steps to remedy the situation, including removing the malicious bots and accounts. We also alerted our community via our Twitter support channel to not click any links in our Discord. We have not seen any new malicious posts since 4:30am ET.”
“We continue to actively investigate this attack, and will keep our community apprised of any relevant new information. Our preliminary analysis indicates that the attack had limited impact. We are currently aware of fewer than 10 impacted wallets and stolen items amounting to less than 10 ETH,” says Mack.
OpenSea has not made a statement about how the channel was hacked, but as we explained in December, one entry point for this style of attack is the webhooks feature that organizations often use to control the bots in their channels to make posts. If a hacker gains access or compromises the account of someone authorized, then they can use it to send a message and / or URL that appears to come from an official source.
Recent attacks have included one that stole $800k worth of the blockchain trinkets from the “Rare Bears” Discord, and the Bored Ape Yacht Club announced its channel had been compromised on April 1st. On April 25th, the BAYC Instagram served as a conduit for a similar heist that snagged more than $1 million worth of NFTs just by sending out a phishing link.
The vulnerability has been dubbed Follina by one of the researchers who first looked into it — Kevin Beaumont, who also wrote a lengthy post about it. It first came to light on May 27 through a tweet by nao_sec, although Microsoft allegedly first heard of it as early as April. Although no patch has been released for it just yet, Microsoft’s workaround involves disabling the Microsoft Support Diagnostic Tool (MSDT), which is how the exploit gets entry into the attacked computer.
This exploit affects primarily .rtf files, but other MS Word files can also be affected. A feature in MS Word called Templates allows the program to load and execute code from external sources. Follina relies on this in order to enter the computer and then runs a series of commands that opens up MSDT. Under regular circumstances, MSDT is a safe tool that Microsoft uses to debug various issues for Windows users. Unfortunately, in this case, it also grants remote access to your computer, which helps the exploit take control of it.
In the case of .rtf files, the exploit can run even if you don’t open the file. As long as you view it in File Explorer, Follina can be executed. Once the attacker gains control of your computer via MSDT, it’s up to them as far as what they want to do. They might download malicious software, leak files, and do pretty much everything else.
Beaumont has shared plenty of examples of the way Follina has already been exploited and found in various files. The exploit is being used for financial extortion, among other things. Needless to say — you don’t want this on your computer.
What do you do until Microsoft releases a patch?
There are a few steps you can take to stay safe from the Follina exploit until Microsoft itself releases a patch that will fix this problem. As things stand now, the workaround is the official fix, and we don’t know for a fact that anything else is sure to follow.
First and foremost, check whether your version of Microsoft Office could potentially be affected. So far, the vulnerability has been found in Office 2013, 2016, 2019, 2021, Office ProPlus, and Office 365. There is no telling whether older versions of Microsoft Office are safe, though, so it’s better to take additional steps to protect yourself.
Last but not least, follow Microsoft’s guidance on disabling MSDT. It will require you to open the Command Prompt and run it as administrator, then input a couple of entries. If everything goes through as planned, you should be safe from Follina. Nevertheless, remember to always be cautious.
The popular wedding planning website Zola, known for its online gift registries, guest list management, and wedding websites, confirmed Monday that hackers had managed to access the accounts of a number of its users and tried to initiate fraudulent cash transfers.
Over the weekend, some Zola users posted on social media that linked bank accounts had been used to purchase gift cards. One tweet flagged by a Reddit user claimed to show cracked Zola accounts being resold on the black market and used to buy gift vouchers.
Zola’s director of communications, Emily Forrest, told The Verge that the unauthorized account access took place through a “credential stuffing” attack, where hackers test out email and password combinations stolen from other breaches across a range of websites to target people using the same password on multiple sites.
“We understand the disruption and stress that this caused some of our couples, but we are happy to report that all attempted fraudulent cash fund transfer attempts were blocked,” Forrest said. “Credit cards and bank info were never exposed and continue to be protected.”
Forrest also said that the company is aware of fraudulent gift card orders and is working to correct them. She said that there was no direct hack of Zola’s infrastructure and that fewer than 0.1 percent of couples using Zola were affected.
On Sunday, Zola sent out a mass email informing users that account passwords had automatically been reset. Zola said that this action had been extended to all site users “out of an abundance of caution,” though the vast majority were not affected. Both iOS and Android versions of the Zola app were also disabled during the incident but have since been re-enabled.
Reporting from TechCrunch suggested that Zola does not provide two-factor authentication (2FA) for all user accounts, making credential stuffing attacks easier to achieve. However, Forrest told The Verge that Zola uses an “adaptive 2FA” system where login codes are sent by email as a protection measure if certain security rules are triggered. The adaptive 2FA system had failed to prevent some accounts being compromised, she said, but Zola was committed to expanding its 2FA program and was working with an outside provider to improve security overall.
Zola has been directing any users who have been affected to contact firstname.lastname@example.org for further information.
Updated May 25th, 2:45PM ET to include additional comment from Zola on 2FA measures.
The hacking group Lapsus$, known for claiming to have hacked Nvidia, Samsung, and more, this week claimed it has even hacked Microsoft. The group posted a file that it claimed contains partial source code for Bing and Cortana in an archive holding nearly 37GB of data.
On Tuesday evening, after investigating, Microsoft confirmed the group that it calls DEV-0537 compromised “a single account” and stole parts of source code for some of its products. A blog post on its security site says Microsoft investigators have been tracking the Lapsus$ group for weeks, and details some of the methods they’ve used to compromise victims’ systems. According to the Microsoft Threat Intelligence Center (MSTIC), “the objective of DEV-0537 actors is to gain elevated access through stolen credentials that enable data theft and destructive attacks against a targeted organization, often resulting in extortion. Tactics and objectives indicate this is a cybercriminal actor motivated by theft and destruction.”
Microsoft maintains that the leaked code is not severe enough to cause an elevation of risk, and that its response teams shut down the hackers mid-operation.
Lapsus$ has been on a tear recently if its claims are to be believed. The group says it’s had access to data from Okta, Samsung, and Ubisoft, as well as Nvidia and now Microsoft. While companies like Samsung and Nvidia have admitted their data was stolen, Okta pushed back against the group’s claims that it has access to its authentication service, claiming that “The Okta service has not been breached and remains fully operational.”
This week, the actor made public claims that they had gained access to Microsoft and exfiltrated portions of source code. No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity.
Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk. The tactics DEV-0537 used in this intrusion reflect the tactics and techniques discussed in this blog. Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.
This isn’t the first time Microsoft’s claimed it assumes attackers will access its source code — it said the same thing after the Solarwinds attack. Lapsus$ also claims that it only got around 45 percent of the code for Bing and Cortana, and around 90 percent of the code for Bing Maps. The latter feels like a less valuable target than the other two, even if Microsoft was worried about its source code revealing vulnerabilities.
In its blog post, Microsoft outlines a number of steps other organizations can take to improve their security, including requiring multifactor authentication, not using “weak” multifactor authentication methods like text messages or secondary email, educating team members about the potential for social engineering attacks, and creating processes for potential responses to Lapsus$ attacks. Microsoft also says that it’ll keep tracking Lapsus$, keeping an eye on any attacks it carries out on Microsoft customers.
Following a cyberattack that took Nvidia’s systems offline for two days last week, the hacking group behind the initial breach has now revealed it has allegedly gained access to over 1TB of data from the tech giant.
When the attack was originally reported on Friday, there wasn’t too much information provided beyond the fact that Nvidia was “investigating an incident.” However, over the weekend, there were some extremely interesting developments pertaining to the situation, which includes purported retaliation by Nvidia.
Cyber breach details reveal extent of hack
Firstly, hacking group LAPSUS$ stated that the hack it carried out resulted in gaining entry to Nvidia’s servers for about an entire week. As a result of this unprecedented access, it says it was able to extract 1TB of data, including schematics, drivers, firmware, and more.
“We also have documentation, private tools and SDKs, and everything about falcon [microprocessors for NVIDIA GPUs based on a custom architecture], we know what is valuable,” the South American group explained on Telegram.
According to VideoCardz, the group has released the first batch of the leak. The publication’s sources indicate that the “partial data included in the package appears to match the claims.”
One important piece of data originating from the hack the group claims it now has in its possession is an LHR V2 bypass for GA102-GA104 GPUs. As reported by VideoCardz, that means LAPSUS$ located the main algorithm used to implement the cryptocurrency mining hash rate limiter that Nvidia applied to its RTX 30-series of graphics cards in 2021. It says it is currently selling the LHR V2 bypass, but added that the group hopes Nvidia removes it soon.
Most recently, a tool that was claimed to remove the mining limits imposed on various Nvidia GPUs was proven to be malware. But if these hackers’ assertion that they stole the algorithm behind the limiter is actually true, then a program to unlock full mining performance for some of the most popular video cards may very well materialize in the near future.
As detailed in its Telegram posts revealing the extent of the hack, the group said that in an effort to “help” the mining and gaming communities, it wants Nvidia to “push an update for all 30-series firmware that remove every LHR limitation.” If the company does not meet this specific demand, LAPSUS$ threatens to leak the “hw folder.”
Moreover, should Nvidia fail to contact the hackers, the group “will take actions.” While the exact motive behind the hack may potentially be related to extracting as much monetary value as it can, LAPSUS$ stresses the attack is not politically motivated, nor is it state-sponsored.
Nvidia fights back
In an interesting turn of events over the weekend, Nvidia has seemingly fought back by, well, hacking the hackers. According to a tweet from vx-underground, as reported by Kitguru, Team Green “performed a hack back” and subsequently “ransomed [the group’s] machines.” A statement from the group further elaborated on Nvidia’s actions, apparently confirming that the firm encrypted its hard drives. However, LAPSUS$ asserts it was able to generate a backup containing the breached data.
LAPSUS$ commented on Nvidia’s alleged counterattack in another Telegram post. Access to the GPU and chip manufacturer’s VPN required the PC “to be enrolled in MDM (Mobile Device Management).” Due to this method that was utilized by the hackers to initially infiltrate Nvidia’s systems, the firm was “able to connect to a VM [virtual machine] we use.”
“Yes they successfully encrypted the data. However we have a backup,” it added.
Either way, it’s unheard of for a company of Nvidia’s size to initiate its own counterassault of this nature, regardless of whether it was in the form of a hack or not.
As for Nvidia’s acknowledgement of the purported exploits, it confirmed it is “investigating an incident” on Friday. Beyond that admission, LAPSUS$ said the company “filed [an] abuse report.”
Elsewhere, as reported by Bloomberg, Nvidia said its “business and commercial activities continue uninterrupted. We are still working to evaluate the nature and scope of the event and don’t have any additional information to share at this time.” Additionally, a Bloomberg source familiar with the matter said the cyber breach “looks to be relatively minor and not fueled by geopolitical tensions.”
News of the cyberattack failed to negatively impact Nvidia’s stock prices. Instead, shares actually increased by 1.7% to $241.57 when the markets closed on Friday. That said, Bloomberg highlights how stocks for the chipmaker (with the company valued north of $600 billion) have been on a downward trend during 2022 thus far (by 18% to be exact).
The hack comes at a time when Nvidia’s proposed $66 billion acquisition of British chip designer ARM was officially canceled amid intense regulatory pressure from several governmental bodies.
Hackers have managed to find a way to successfully gain access to uninterruptable power supply (UPS) computer systems, according to a report from The Cybersecurity and Infrastructure Security Agency (CISA).
As reported by Bleeping Computer and Tom’s Hardware, both the Department of Energy and CISA issued a warning to organizations based in the U.S. that malicious threat actors have started to focus on infiltrating UPS devices, which are used by data centers, server rooms, and hospitals.
UPS devices allow companies to rely on emergency power when the central source of power is cut off for any given reason. If the attacks concentrated on these systems come to fruition, the consequences could prove to be catastrophic. In fact, it could cause PCs or their power supplies to burn up, potentially leading to fires breaking out at data centers and even homes.
Both federal agencies confirmed that hackers have found entry points to several internet-connected UPS devices predominantly via unchanged default usernames and passwords.
“Organizations can mitigate attacks against their UPS devices, which provide emergency power in a variety of applications when normal power sources are lost, by removing management interfaces from the internet,” the report stated.
Other mitigation responses the agencies recommended putting in place include safeguarding devices and systems by protecting them through a virtual private network, applying multi-factor authentication, and making use of effective passwords or passphrases that can’t be easily deciphered.
To this end, it stresses that organizations change UPS’s usernames and passwords that have remained on the factory default settings. CISA also mentioned that login timeout and lockout features should be applied as well for further protection.
The report highlights how UPS vendors have increasingly incorporated a connection between these devices and the internet for power monitoring and routine maintenance purposes. This practice has made these systems vulnerable to potential attacks.
A prime example of hackers targeting UPS systems is the recently discovered APC UPS zero-day bugs exploit. Known as TLStorm, three critical zero-day vulnerabilities opened the door for hackers to obtain admin access to devices belonging to APC, a subsidiary of an electrical company.
If successful, these attacks could severely impact governmental agencies, as well as health care and IT organizations, by burning out the devices and disabling the power source remotely.
The number of cyberattacks against crucial services has been trending upwards in recent years as cybercriminals progressively identify exploits. For example, cyberattacks against health care facilities almost doubled in 2020 compared to 2019.
It’s not just large organizations that are being targeted — online criminals stole nearly $7 billion from individuals in 2021 alone.
Apple and Meta handed over user data to hackers who faked emergency data request orders typically sent by law enforcement, according to a report by Bloomberg. The slip-up happened in mid-2021, with both companies falling for the phony requests and providing information about users’ IP addresses, phone numbers, and home addresses.
Law enforcement officials often request data from social platforms in connection with criminal investigations, allowing them to obtain information about the owner of a specific online account. While these requests require a subpoena or search warrant signed by a judge, emergency data requests don’t — and are intended for cases that involve life-threatening situations.
Fake emergency data requests are becoming increasingly common, as explained in a recent report from Krebs on Security. During an attack, hackers must first gain access to a police department’s email systems. The hackers can then forge an emergency data request that describes the potential danger of not having the requested data sent over right away, all while assuming the identity of a law enforcement official. According to Krebs, some hackers are selling access to government emails online, specifically with the purpose of targeting social platforms with fake emergency data requests.
As Krebs notes, the majority of bad actors carrying out these fake requests are actually teenagers — and according to Bloomberg, cybersecurity researchers believe the teen mastermind behind the Lapsus$ hacking group could be involved in conducting this type of scam. London police have since arrested seven teens in connection with the group.
But last year’s string of attacks may have been performed by the members of a cybercriminal group called Recursion Team. Although the group has disbanded, some of them have joined Lapsus$ with different names. Officials involved in the investigation told Bloomberg that hackers accessed the accounts of law enforcement agencies in multiple countries and targeted many companies over the course of several months starting in January 2021.
“We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse,” Andy Stone, Meta’s policy and communications director, said in an emailed statement to The Verge. “We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.”
When asked for comment, Apple directed The Verge to its law enforcement guidelines, which state: “If a government or law enforcement agency seeks customer data in response to an Emergency Government & Law Enforcement Information Request, a supervisor for the government or law enforcement agent who submitted the Emergency Government & Law Enforcement Information Request may be contacted and asked to confirm to Apple that the emergency request was legitimate.”
Meta and Apple aren’t the only known companies affected by fake emergency data requests. Bloomberg says hackers also contacted Snap with a forged request, but it’s not clear if the company followed through. Krebs on Security’s report also includes a confirmation from Discord that the platform gave away information in response to one of these fake requests.
“This tactic poses a significant threat across the tech industry,” Peter Day, Discord’s group manager for corporate communications said in an emailed statement to The Verge. “We are continuously investing in our Trust & Safety capabilities to address emerging issues like this one.”
Snap didn’t immediately respond to a request for comment from The Verge.
Update March 30th 9:24PM ET: Updated to include a statement from a Discord spokesperson.