Just when it looked like a tired hacker stereotype was fading, it seems that a teenager orchestrated Lapsus$ attacks against high-profile targets like Microsoft and Nvidia—all from the comfort of the home he shares with his mother in Oxford, England.
Security researchers hunting the Lapsus$ ransomware gang told Bloomberg they believed the 16-year-old mastermind, who goes by “White” or “breachbase” online and reportedly executes attacks at lightning speed, was behind what Microsoft earlier this week called a “large-scale social engineering and extortion campaign against multiple organizations,” luring insiders at those companies to participate in the schemes.
Microsoft, Nvidia and Okta have all reported being targets recently, with the incident against the latter sounding the loudest alarm. “This attack could very well be the next big supply chain attack (T1195.002), with a similar impact to the SolarWinds attack; only time will tell,” said Liran Ravich, cybersecurity architect at CardinalOps. Ravich warned that “in the meantime, Okta administrators and SOC analysts should make sure to monitor for any suspicious activity and follow the news.”
Insider Risks and External Threats
Internal threats becoming external threats are a growing trend. “This is a dangerous and emerging situation where, rather than through some combination of blackmail, patriotism and financial incentives, the Lapsus$ ransomware group has determined that the financial incentive is significant enough to ‘turn’ an insider,” said Saryu Nayyar, CEO and founder of Gurucul.
Recruiting those insiders to steal “sensitive data and executing ransomware, with this combined impact being referred to as a ‘double extortion’ campaign, can be extraordinarily difficult to detect for most XDR and SIEM solutions because they lack the analytics and machine learning models to identify both internal and external malicious activity as being part of the same attack,” she said.
The Lapsus$ group apparently made its way into Okta, the prominent identity services firm, through the account of a customer service worker at a third-party company.
“Attackers attack Microsoft and Okta because they know the value of identity. Identity—not apps, not servers, not devices—is the important component in the cybersecurity world,” said Rajiv Pimplaskar, CEO at Dispersive Holdings, Inc. “It is amazing that so many companies still use the ‘required access reviewed—required’ option in so many compliance measures (SOX, SOC2, HIPAA/HITRUST, ISO 270001, PCI-DSS, CMMC) as a check box. Identities, especially the privileged ones, should be checked not only monthly but in real-time on changes.”
Lapsus$ Doesn’t Fly Under the Radar
The ransomware gang, which is also believed to include a teenager in Brazil, has published source code and internal documents taken from their victims, and the attackers have been upfront about their operations.
“Unlike most activity groups that stay under the radar,” Lapsus$—or as Microsoft calls it, DEV-0537—“doesn’t seem to cover its tracks,” the company said.
Instead, “they go as far as announcing their attacks on social media or advertising their intent to buy credentials from employees of target organizations. DEV-0537 started targeting organizations in the United Kingdom and South America but expanded to global targets, including organizations in government, technology, telecom, media, retail and health care sectors,” Microsoft said.
“In a few months’ time, Lapsus$ has widened its target base and increased its sophistication. More recently, Lapsus$ has expanded their targets beyond specific industry verticals or specific countries or regions,” said Pratik Savia, security engineer at Venafi. “This makes it harder for analysts to predict which company is most at risk next. This is likely an intentional move to keep everyone guessing because these tactics served the attackers well so far.”
“Compromised machine identities lead to source code leaks,” said Savia. “Attackers have abused machine identities to establish hidden or concealed encrypted communication channels and gain privileged access to data and resources.”