Lapsus$: The teenager-run cybercriminal gang targeting Fortune 500 companies.

Earlier this week, IT giant Microsoft and identity management firm Okta reported that their organizations had suffered data breaches from Lapsus$. Lapsus$ is a relatively new hacking group, with indications of their activity being first reported against Samsung and NVIDIA at the end of 2021. The hacking group announced a Telegram channel on March 22nd, 2022, claiming they had stolen source code from Microsoft and were going to publish screenshots of their exploit to show their capabilities to the public. Microsoft quickly retorted this claim in a blog post detailing suspicious activity:

The activity we have observed is attributed to a group of threats tracked by Microsoft as DEV-0537 , also known as LAPSUS$. DEV-0537 is known for using a pure extortion and destruction model without deploying ransomware payloads. DEV-0537 began attacking organizations in the United Kingdom and South America, but expanded to global targets, including organizations in the government, technology, telecommunications, media, retail, and healthcare sectors. DEV-0537 has also been known to hijack individual user accounts on marketplaces to loot accounts.”

Okta Data Breach:

While this claim shows Microsoft was able to mitigate the damage caused by Lapsus$, how have other targets faired in their defense against this cybercriminal operation? Identity and access management company Okta is a relatively familiar name for many in the business world. Their suite of products allows companies to monitor user activity across their networks remotely and escalate access privileges as necessary. Unfortunately, this company known for enhancing security practices in customer environments ran into a nightmare scenario when they found themselves in the scope of the Lapsus$ hacking group.

On Monday, March 21, 2022, Lapsus$ posted screenshots of Okta’s internal apps and systems, boasting of their ability to circumvent the tech giant’s inner defenses. The screenshots depict an ongoing hacking operation that persisted inside Okta’s environment through most of January 2022. Lapsus$ first gained access to Okta’s systems after compromising Sykes, a third-party support vendor with ties to Okta. Malicious hackers often exploit third-party vendors as an initial target, where the hacking group then looks to pivot and find more lucrative targets that rely on these vendors for support. In this case, Sykes provided customer support services to Okta and had wide-spanning access to their internal environment, creating the perfect storm for Lapsus$ to exploit this relationship.

How do they do it?

The one issue that has repeatedly baffled researchers is how do you stop Lapsus$? Their preferred method of compromise is through bribing insiders or exploiting third-party vendors. Bribing disgruntled insiders is a surefire way to access highly privileged user accounts. Lapsus$ bypasses traditional security parameters by researching these insiders for weeks to months beforehand and contacts them on personal devices not under the security umbrella of their employer. In other cases, they use similar methods to gain access through vendors with solid relations to target organizations. These vendors typically lack the sophisticated security defenses that a Fortune 500 company would have, but ultimately are so interconnected that they allow attackers to pivot to the larger targets after the initial breach. However, the most significant conundrum investigators have faced with Lapsus$ is what their goal in all these attacks is?

Conclusion:

Lapsus$ has targeted massive Fortune 500 companies, globally recognized brands that collect billions in revenue each year, but they seldom asked for a ransom to be paid to them. They’ve stolen source code, published internal documentation to boast of their exploits, even suggested a change in business practices, but only made monetary demands towards two organizations. In NIVIDA’s case, Lapsus$ demanded that NVIDIA remove an anti-cryptomining feature in their GPUs and make all their products open source. When they attacked Microsoft, there were no demands. Instead, they boasted of their exploitation in a Telegram channel and distributed what source code they stole for free. Regardless of their goals, Lapsus$ is still a hacking group consisting primarily of teenagers. If hackers this young can breach some of the most well-funded companies, everyone needs to take a step back and reevaluate their security practices.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Questions or concerns? Feel free to reach out to us any time – https://www.netizen.net/contact

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.