UK Police Arrest Seven Allegedly Tied to Lapsus$ Hackers | #emailsecurity | #phishing | #ransomware

Account Takeover Fraud
Endpoint Security

Lapsus$ Claimed Responsibility for Many Hacks, Including Okta and Microsoft

Photo: City of London Police

Police in London say they’ve arrested seven people tied to the Lapsus$ hacking group, which has claimed responsibility for data breaches against Okta, Microsoft, Nvidia, Ubisoft and more.

See Also: Live Webinar Today | Making the Case for Managed Endpoint Detection and Response

The names of those arrested were not released, but police say they range in age from 16 to 21 years old. Security researchers have pointed to a 16- or 17-year-old boy living in the U.K. as the possible leader of Lapsus$, however, it wasn’t clear if he was among those arrested.

Earlier this year, the boy’s identity details and those of his immediate family members were released in a “doxxing” attack, the term for publicly releasing private personal information online as revenge. Since then, his name has repeatedly surfaced on social media, as it appears others held a grudge again him.

Information Security Media Group is not identifying him by either his name or his online nicknames because he appears to be a minor and it’s unclear if he has been charged. Efforts to reach the boy via email were unsuccessful.

A screenshot from the website where the alleged leader of Lapsus$’s personal information was released.

The arrests cap off what has been an increasingly intense hacking spree conducted by Lapsus$. It culminated with the disclosure earlier this week of an attack in January that compromised data belonging to more than 300 customers of Okta, the popular identity and access management vendor.

The group quickly came under the scrutiny of security researchers who noticed that the group did not have great operational security. Operational security is the term for carefully masking digital clues that could lead investigators to unraveling a breach or hack and discovering real-world identities.

In fact, law enforcement was informed about the 16- or 17-year-old boy’s activities mid-year last year, around the time that Electronic Arts saw source code released, says Allison Nixon, chief research officer with Unit 221b, a cybersecurity consultancy.

Nixon says Unit 221b has collaborated with Palo Alto Networks and other unnamed security partners to investigate Lapsus$’s activity. Between that collaboration and the group’s poor operational security, researchers are confident in their assessments, Nixon says.

Lapsus$: New and Potent

Surfacing last year, Lapsus$ swiftly generated attention by publicly dumping stolen data, extorting companies and openly offering to pay for information that helped them breach companies.

The group is believed to have a connection to Brazil since some of its public posts are in Portuguese and some of its hacking targets are in the country.

But the group’s activity intensified earlier this month with a series of releases sensitive data. On March 5, Lapsus$ released source code belonging to Samsung. It then dumped data belonging to LG. The group usually posts its data breach dumps to a Telegram channel, where they are often seen mocking and threatening its victims.

Just in the last week, Lapsus released source code belonging to Microsoft’s Bing and Cortana, the company’s voice assistant. The final data release pertained to Okta, the identity and authentication company whose software is used by thousands of enterprises to manage user identities.

The scope of that breach is still under investigation. Okta says the attackers gained access to the laptop of a customer support engineer who worked for Sykes, a customer care company used by Okta now owned by Sitel. The access was achieved using RDP, short for remote desktop protocol, Okta has said.

During a five-day period in January, Okta says the attackers could have viewed and acted upon data, including resetting passwords and multifactor authentication for affected customers. 366 customers were affected, the company reported.

Okta has come under increasing criticism as to why the incident wasn’t disclosed earlier, but the company maintains it only received a summary of the forensic report from Sitel on March 17. Contacted on Thursday, Sitel says it is still investigating the breach, along with an outside firm, but contained the incident quickly. The company did not answer further questions.

“As a result of the investigation, along with our ongoing assessment of external threats, we are confident there is no longer a security risk,” Sitel says. “We are unable to comment on our relationship with any specific brands or the nature of the services we provide for our clients.”

Sitel’s Sykes branch, which it acquired for $2.2 billion last year, provides or has provided services for a range of companies including Apple, PayPal, Cisco, DocuSign, Splunk and Dell.

Skilled At Social Engineering

Microsoft published an extensive blog post describing the group, which it calls DEV-0537, and its techniques. According to the blog post, Lapsus$ includes a range of tricks to access credentials and move around in systems.

Lapsus$ was known for “living off the land,” the term for using native operating system tools to probe systems. Using those tools makes it more difficult to detect exploitation activity. It was also highly skilled in using social engineering techniques.

To gain initial access, the group would deploy several tactics, according to Microsoft. The group used various techniques to compromise accounts, including the Redline password stealer, buying credentials in underground markets, paying employees of targeted organizations for credentials or MFA codes and searching out exposed credentials.

Microsoft says that members of the group would also call customer support lines after gathering information about company employees. Also, Lapsus$ openly bragged about its exploits.

“Unlike most activity groups that stay under the radar, DEV-0537 doesn’t seem to cover its tracks,” the blog reads, adding that the group was particularly vocal about its attacks on social media.

Original Source link

Leave a Reply

Your email address will not be published.

69 + = seventy eight