“In some cases, first targeted and compromised an individual’s personal or private (non-work-related) accounts giving them access to then look for additional credentials that could be used to gain access to corporate systems,” Microsoft wrote. Microsoft said LAPSUS$ has been known to target the personal email accounts of employees at organizations they wish to hack, knowing that most employees these days use some sort of VPN to remotely access their employer’s network. The individuals behind the group are likely experienced and have demonstrated in-depth technical knowledge and abilities.” The group has claimed it is not state-sponsored. “LAPSUS$ appears to be highly sophisticated, carrying out increasingly high-profile data breaches. “LAPSUS$ currently does not operate a clearnet or darknet leak site or traditional social media accounts-it operates solely via Telegram and email,” Flashpoint wrote in an analysis of the group. According to cyber intelligence firm Flashpoint, the bulk of the group’s victims (15 of them) have been in Latin America and Portugal. Many of LAPSUS$’s recruitment ads are written in both English and Portuguese. “WhiteDoxbin” offering to pay $20,000 a week to corrupt employees at major mobile providers. One of the core LAPSUS$ members who used the nicknames “Oklaqq” and “WhiteDoxbin” posted recruitment messages to Reddit last year, offering employees at AT&T, T-Mobile and Verizon up to $20,000 a week to perform “inside jobs.” Sources tell KrebsOnSecurity that LAPSUS$ has been recruiting insiders via multiple social media platforms since at least November 2021. The LAPSUS$ Telegram channel has grown to more than 45,000 subscribers, and Microsoft points to an ad LAPSUS$ posted there offering to recruit insiders at major mobile phone providers, large software and gaming companies, hosting firms and call centers. ![]() Such a tactic was just one of the ways DEV-0537 took advantage of the security access and business relationships their target organizations have with their service providers and supply chains.” For a fee, the willing accomplice must provide their credentials and approve the MFA prompt or have the user install AnyDesk or other remote management software on a corporate workstation allowing the actor to take control of an authenticated system. “DEV-0537 advertised that they wanted to buy credentials for their targets to entice employees or contractors to take part in its operation. “Microsoft found instances where the group successfully gained access to target organizations through recruited employees (or employees of their suppliers or business partners),” Microsoft wrote. Microsoft says LAPSUS$ - which it boringly calls “ DEV-0537” - mostly gains illicit access to targets via “social engineering.” This involves bribing or tricking employees at the target organization or at its myriad partners, such as customer support call centers and help desks. While it may be tempting to dismiss LAPSUS$ as an immature and fame-seeking group, their tactics should make anyone in charge of corporate security sit up and take notice. Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.” Our investigation has found a single account had been compromised, granting limited access. “No customer code or data was involved in the observed activities. “This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact,” Microsoft wrote. One of the LAPSUS$ group members admitted on their Telegram channel that the Microsoft source code download had been interrupted. ![]() 22, Microsoft said it interrupted the LAPSUS$ group’s source code download before it could finish, and that it was able to do so because LAPSUS$ publicly discussed their illicit access on their Telegram channel before the download could complete. On Tuesday, LAPSUS$ announced via its Telegram channel it was releasing source code stolen from Microsoft. Here’s a closer look at LAPSUS$, and some of the low-tech but high-impact methods the group uses to gain access to targeted organizations.įirst surfacing in December 2021 with an extortion demand on Brazil’s Ministry of Health, LAPSUS$ made headlines more recently for posting screenshots of internal tools tied to a number of major corporations, including NVIDIA, Samsung, and Vodafone. Microsoft and identity management platform Okta both this week disclosed breaches involving LAPSUS$, a relatively new cybercrime group that specializes in stealing data from big companies and threatening to publish it unless a ransom demand is paid.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |