Categories
Security

Latest LAPSUS$ victims include Facebook, DHL in massive hack

Hacking group LAPSUS$ has revealed its latest target: Globant, an IT and software development company whose clientele includes the likes of technology giant Facebook.

In a Telegram update where the hackers affirmed they’re “back from a vacation,” — potentially referring to alleged members of the group getting arrested in London — LAPSUS$ stated that they’ve acquired 70GB of data from the cyber security breach.

Justin Sullivan/Getty Images

Not only have they seemingly obtained sensitive information belonging to several large organizations, the group decided to release the entire 70GB via a torrent link.

As reported by Computing, the group shared evidence of the hack via an image displaying folders that are named after Facebook, DHL, Stifel, and C-Span, to name but a few.

Although there is a folder titled “apple-health-app,” it is not directly related to the iPhone maker.

Instead, The Verge highlights how the data it contains is actually associated with Globant’s BeHealthy app, which was developed in partnership with Apple due to its use of the Apple Watch.

Meanwhile, LAPSUS$ posted an additional message on its Telegram group listing all of the passwords of Globant’s system admins and the company’s DevOps platforms. Vx-underground, which has conveniently documented all of the group’s recent hacks, confirmed the passwords are extremely weak.

LAPSUS$ also threw their System Admins under the bus exposing their passwords to confluence (among other things). We have censored the passwords they displayed. However, it should be noted these passwords are very easily guessable and used multiple times… pic.twitter.com/gT7skg9mDw

— vx-underground (@vxunderground) March 30, 2022

Notably, login credentials for one of those platforms seemingly offered access to “3,000 spaces of customer documents.”

Following the Telegram message and subsequent leak on March 30, Globant itself confirmed it was compromised in a press release.

“We have recently detected that a limited section of our company’s code repository has been subject to unauthorized access. We have activated our security protocols and are conducting an exhaustive investigation.

According to our current analysis, the information that was accessed was limited to certain source code and project-related documentation for a very limited number of clients. To date, we have not found any evidence that other areas of our infrastructure systems or those of our clients were affected.

We are taking strict measures to prevent further incidents.”

Earlier in March, seven alleged members of the group, reportedly aged 16 to 21, were arrested in London, before being released pending further investigations. According to reports, the alleged ringleader of the group, a 16-year-old from Oxford, U.K., has also apparently been outed by rival hackers and researchers. “Our inquiries remain ongoing,” City of London police stated.

Security researchers have suggested other members of LAPSUS$ could be based out of South America.

Hacking scene’s newcomer causing a lot of noise

LAPSUS$ has gained a reputation by injecting activity into the hacking scene in an extremely short span of time.

Amazingly, the majority of its hacks seem to come to fruition by simply targeting engineers of large companies and their access points via weak passwords. The group even stresses this fact repeatedly in its Telegram updates.

It’s understandable when an average user from home is subjected to a hack due to weak passwords, but we’re not talking about individuals here. LAPSUS$ has successfully infiltrated some of the largest corporations in history without the apparent need to resort to complicated and sophisticated hacking methods.

Moreover, hackers are now even exploiting weak passwords that make your PC’s own power supply vulnerable to a potential attack, which could lead to threat actors causing it to burn up and start a fire. With this in mind, be sure to strengthen your passwords.

LAPSUS$ has already leaked the source codes for Microsoft’s Cortana and Bing search engine. That incident was preceded by a massive 1TB Nvidia hack. Other victims include Ubisoft, as well as the more recent cyber security breach of Okta, which prompted the latter to issue a statement acknowledging a mistake in how it reported the situation.

Editors’ Choice




Repost: Original Source and Author Link

Categories
Security

Lapsus$ hackers breached T-Mobile’s systems and stole its source code

The Lapsus$ hacking group stole T-Mobile’s source code in a series of breaches that took place in March, as first reported by Krebs on Security. T-Mobile confirmed the attack in a statement to The Verge, and says the “systems accessed contained no customer or government information or other similarly sensitive information.”

In copies of private messages obtained by Krebs, the Lapsus$ hacking group discussed targeting T-Mobile in the week prior to the arrest of seven of its teenage members. After purchasing employees’ credentials online, the members could use the company’s internal tools — like Atlas, T-Mobile’s customer management system — to perform SIM swaps. This type of attack involves hijacking a target’s mobile phone by transferring its number to a device owned by the attacker. From there, the attacker can obtain texts or calls received by that person’s phone number, including any messages sent for multi-factor authentication.

According to screenshotted messages posted by Krebs, Lapsus$ hackers also attempted to crack into the FBI and Department of Defense’s T-Mobile accounts. They were ultimately unable to do so, as additional verification measures were required.

“Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software,” T-Mobile said in an emailed statement to The Verge. “Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete.”

T-Mobile has been the victim of several attacks over the years. Although this particular hack didn’t affect customers’ data, past incidents did. In August 2021, a breach exposed the personal information belonging to over 47 million customers, while another attack occurring just months later compromised “a small number” of customer accounts.

Lapsus$ has made a name for itself as a hacking group that primarily targets the source code of large technology companies, like Microsoft, Samsung, and Nvidia. The group, which is reportedly led by a teenage mastermind, has also targeted Ubisoft, Apple Health partner Globant, and authentication company Okta.

Repost: Original Source and Author Link

Categories
Security

Okta ends Lapsus$ hack investigation, says breach lasted just 25 minutes

Three months after authentication platform Okta was breached by hacking group Lapsus$, the company has concluded its internal investigation after finding that the impact was less serious than initially believed.

In a blog post published Tuesday, Okta’s chief security officer David Bradbury noted that the company had been transparent by sharing details of the hack soon after it was discovered but that further analysis had downgraded early assessments of the potential scope.

“As a result of the thorough investigation of our internal security experts, as well as a globally recognized cybersecurity firm whom we engaged to produce a forensic report, we are now able to conclude that the impact of the incident was significantly less than the maximum potential impact Okta initially shared on March 22, 2022,” Bradbury wrote.

Hackers from the Lapsus$ hacker group compromised Okta’s systems on January 21st by gaining remote access to a machine belonging to an employee of Sitel, a company subcontracted to provide customer service functions for Okta. Details of the hack emerged two months later when a member of Lapsus$ shared screenshots of Okta’s internal systems in a Telegram channel — an incident that Bradbury labeled “an embarrassment” for the Okta security team.

More than an embarrassment, the breach was especially worrying because of Okta’s role as an authentication hub for managing access to numerous other technology platforms. For companies using enterprise software like Salesforce, Google Workspace, or Microsoft Office 365, Okta can provides a single point of secure access, letting administrators control how, when, and where users log on — and, in a worst-case scenario, give a hacker access to a company’s entire software stack at once.

In a briefing with press and customers held in March, Bradbury said that the company’s security protocols had limited the hackers’ access to internal systems, a statement that seems to have been borne out by the final investigation.

While Okta’s early report concluded that the maximum period of unauthorized access was no more than five days, the recent forensic report found that the access period was actually just 25 minutes. And where the previous impact assessment capped the maximum number of organizations affected at 366, the new report found that only two Okta customers’ authentication systems had been accessed.

During this brief access period, Lapsus$ had not been able to authenticate directly to any customer accounts or make configuration changes, Okta said.

In light of the forensic report, Okta’s handling of the breach seems to have been done in accordance with best practices for disclosure and response, although the company’s reputation may still have taken a hit.

“While the overall impact of the compromise has been determined to be significantly smaller than we initially scoped, we recognize the broad toll this kind of compromise can have on our customers and their trust in Okta,” Bradbury said.

Repost: Original Source and Author Link

Categories
Security

Microsoft confirms Lapsus$ hackers stole source code via ‘limited’ access

The hacking group Lapsus$, known for claiming to have hacked Nvidia, Samsung, and more, this week claimed it has even hacked Microsoft. The group posted a file that it claimed contains partial source code for Bing and Cortana in an archive holding nearly 37GB of data.

On Tuesday evening, after investigating, Microsoft confirmed the group that it calls DEV-0537 compromised “a single account” and stole parts of source code for some of its products. A blog post on its security site says Microsoft investigators have been tracking the Lapsus$ group for weeks, and details some of the methods they’ve used to compromise victims’ systems. According to the Microsoft Threat Intelligence Center (MSTIC), “the objective of DEV-0537 actors is to gain elevated access through stolen credentials that enable data theft and destructive attacks against a targeted organization, often resulting in extortion. Tactics and objectives indicate this is a cybercriminal actor motivated by theft and destruction.”

Microsoft maintains that the leaked code is not severe enough to cause an elevation of risk, and that its response teams shut down the hackers mid-operation.

Lapsus$ has been on a tear recently if its claims are to be believed. The group says it’s had access to data from Okta, Samsung, and Ubisoft, as well as Nvidia and now Microsoft. While companies like Samsung and Nvidia have admitted their data was stolen, Okta pushed back against the group’s claims that it has access to its authentication service, claiming that “The Okta service has not been breached and remains fully operational.”

Microsoft:

This week, the actor made public claims that they had gained access to Microsoft and exfiltrated portions of source code. No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity.

Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk. The tactics DEV-0537 used in this intrusion reflect the tactics and techniques discussed in this blog. Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.

This isn’t the first time Microsoft’s claimed it assumes attackers will access its source code — it said the same thing after the Solarwinds attack. Lapsus$ also claims that it only got around 45 percent of the code for Bing and Cortana, and around 90 percent of the code for Bing Maps. The latter feels like a less valuable target than the other two, even if Microsoft was worried about its source code revealing vulnerabilities.

In its blog post, Microsoft outlines a number of steps other organizations can take to improve their security, including requiring multifactor authentication, not using “weak” multifactor authentication methods like text messages or secondary email, educating team members about the potential for social engineering attacks, and creating processes for potential responses to Lapsus$ attacks. Microsoft also says that it’ll keep tracking Lapsus$, keeping an eye on any attacks it carries out on Microsoft customers.



Repost: Original Source and Author Link

Categories
Security

A teen is reportedly the mastermind behind the Lapsus$ hacking group

In recent weeks, the Lapsus$ hacking group has taken credit for accessing company data from Nvidia, Samsung, Ubisoft, Okta, and even Microsoft, and according to a new Bloomberg report, an England-based teenager might be the person heading up the operation.

“Four researchers investigating the hacking group Lapsus$, on behalf of companies that were attacked, said they believe the teenager is the mastermind,” Bloomberg said. However, the teenager, who apparently uses the online aliases “White” and “breachbase,” has not been accused by law enforcement, and the researchers “haven’t been able to conclusively tie him to every hack Lapsus$ has claimed,” Bloomberg said.

The teenager is apparently based about five miles outside of Oxford University, and Bloomberg says it was able to speak to his mother for ten minutes through a “doorbell intercom system” at the home. The teenager’s mother told the publication she did not know of allegations against him. “She declined to discuss her son in any way or make him available for an interview, and said the issue was a matter for law enforcement and that she was contacting the police,” Bloomberg said.

Lapsus$ apparently doesn’t just consist of the England-based teenager, though. Bloomberg reports that one suspected member is another teenager in Brazil and that seven unique accounts have been linked with the group. One of the members is apparently such a capable hacker that researchers thought the work was automated, one person involved in research about the group told Bloomberg.

According to cybersecurity expert Brian Krebs, a core member of Lapsus$, who may have used the aliases “Oklaqq” and “WhiteDoxbin,” also purchased Doxbin, a website where people can post or search for the personal information of others for the purposes of doxing. This WhiteDoxbin individual apparently wasn’t the best admin and had to sell the site back to its previous owner, but leaked “the entire Doxbin data set,” which led to the Doxbin community doxing WhiteDoxbin, “including videos supposedly shot at night outside his home in the United Kingdom,” Krebs reported.

Krebs also reports that this person may have been behind the EA data breach that took place last year. What may connect the person between Bloomberg and Krebs’ is the name “breachbase.”

From Krebs:

Back in May 2021, WhiteDoxbin’s Telegram ID was used to create an account on a Telegram-based service for launching distributed denial-of-service (DDoS) attacks, where they introduced themself as “@breachbase.” News of EA’s hack last year was first posted to the cybercriminal underground by the user “Breachbase” on the English-language hacker community RaidForums, which was recently seized by the FBI.

The full picture surrounding Lapsus$ is still murky, but I strongly urge you to read both Bloomberg and Krebs’ reports to learn more about what may be going on.

Repost: Original Source and Author Link

Categories
Security

Seven teenagers arrested in connection with the Lapsus$ hacking group

City of London Police have arrested seven teenagers due to their suspected connections with a hacking group that is believed to be the recently prolific Lapsus$ group, BBC News reports.

“The City of London Police has been conducting an investigation with its partners into members of a hacking group,” Detective Inspector Michael O’Sullivan of the City of London Police said in a statement to The Verge. “Seven people between the ages of 16 and 21 have been arrested in connection with this investigation and have all been released under investigation. Our enquiries remain ongoing.”

Lapsus$ has taken responsibility for some major security breaches at tech companies, including Nvidia, Samsung, Ubisoft, Okta, and Microsoft. On Wednesday, reports surfaced indicating an Oxford-based teenager is the mastermind of the group. City of London Police did not say if this teenager was among those arrested.

At least one member of Lapsus$ was also apparently involved with a data breach at EA, cybersecurity expert Brian Krebs reported on Wednesday in an extensive article about the group. Vice corroborated the group’s involvement in that breach in its own article on Thursday, noting that it was “emblematic of Lapsus$’s subsequent and massive hacks.”

The suspected mastermind’s identity was apparently revealed by angry customers doxing him. According to Krebs’ report, the group’s leader purchased Doxbin, a site where people can share or find personal information on others, last year, but was a poor owner of the site. He apparently gave up control in January but leaked “the entire Doxbin data set” to Telegram, and the Doxbin community retaliated by doxing him.

BBC News says it spoke to the teenager’s father, who was apparently unaware of his involvement with the group. “I had never heard about any of this until recently. He’s never talked about any hacking, but he is very good on computers and spends a lot of time on the computer,” the father said, according to BBC News. “I always thought he was playing games. We’re going to try to stop him from going on computers.”

Update March 24th, 12:05PM ET: Added City of London Police statement and additional context about the group.

Repost: Original Source and Author Link

Categories
Security

Lapsus$ gang claims new hack with data from Apple Health partner

After a short “vacation,” the Lapsus$ hacking gang is back. In a post shared through the group’s Telegram channel on Wednesday, Lapsus$ claimed to have stolen 70GB of data from Globant — an international software development firm headquartered in Luxembourg, which boasts some of the world’s largest companies as clients.

Screenshots of the hacked data, originally posted by Lapsus$ and shared on Twitter by security researcher Dominic Alvieri, appeared to show folders bearing the names of a range of global businesses: among them were delivery and logistics company DHL, US cable network C-Span, and French bank BNP Paribas.

Also in the list were tech giants Facebook and Apple, with the latter referred to in a folder titled “apple-health-app.” The data appears to be development material for Globant’s BeHealthy app, described in a prior press release as software developed in partnership with Apple to track employee health behaviors using features of the Apple Watch. Apple did not a request for comment at time of publication.

Globant acknowledged the hack in a press release later the same day. “According to our current analysis, the information that was accessed was limited to certain source code and project-related documentation for a very limited number of clients,” the company said. “To date, we have not found any evidence that other areas of our infrastructure systems or those of our clients were affected.”

On Telegram, Lapsus$ shared a torrent link to the allegedly stolen data with a message announcing, “We are officially back from a vacation.”

If confirmed, the leak would show a swift return to activity after seven suspected members of Lapsus$ were arrested by British police less than a week ago.

The arrests, first reported on March 24th by BBC News, were carried out by City of London Police after a yearlong investigation into the alleged ringleader of the gang, who is believed to be a teenager living with his parents in Oxford. On the other side of the Atlantic, the FBI is also seeking information on Lapsus$ related to the breach of US companies.

The Lapsus$ gang has been remarkably prolific in the range and scale of companies it has breached, having previously extracted data from a number of well-known technology companies, including Nvidia, Samsung, Microsoft, and Vodafone.

Most recently, Lapsus$ was in the spotlight for a hack affecting the authentication platform Okta, which put thousands of businesses on high alert against subsequent breaches. The latter hack has been an embarrassment for a company that provides security services to other businesses and led to criticism of Okta for a slow disclosure.

Correction, 1:38PM ET: A previous version of this post overstated the connection between the breached data and Apple. The data labelled as “apple-health” was not data from Apple itself, but from an app developed in partnership with Apple. The Verge regrets the error.

Update 5:25 PM ET: Added statement from Globant.



Repost: Original Source and Author Link