LAPSUS$ exposes security vulnerabilities at tech companies

Sicherheit (Pexels, allgemeine Nutzung)[German]I reported on the LAPSUS$ hacker group, which is reportedly made up of teenagers, here on the blog. Security researchers at Tenable have taken a closer look at the hacker group and published an analysis. The conclusion: the group's tactics were brazen, illogical and ill-conceived – and yet they were successful, managing to show up the biggest tech companies like Microsoft, Samsung, Ubisoft and Okta – indicative of the industry.


Background of the Lapsus$ group

The suspected teenage hacker group (at least some teens were arrested in the UK in this regard) Lapsus$ was able to gain some media attention through a series of attacks on tech companies, including Microsoft Corp and Nvidia Corp. The group had been active since mid-2021, and its strategy was to gain access to systems by buying up employee account credentials. They were quite successful – Lapsus$ became one of the most famous and notorious online extortion groups – I reported about the hacks several times – see links at the end of the article. 

Lapsus$ attacks

Security researchers who investigated a series of attacks by the Lapsus$ hacker group on behalf of the attacked companies were able to find out the identity of some members of the Lapsus$ group. I had reported on this in the blog post Lapsus$ hacker group debunked? Teenager from Britain and Brazil suspected. In the meantime, there have been arrests in the UK and also charges against defendants.

Brazen and successful

The case of the LAPSUS$ group shows how patchy the security situation is at the so-called tech companies. A group of teenagers has successfully penetrated the IT systems of major companies such as Microsoft, Samsung, Ubisoft and Okta. Telekom USA was also hacked several times.

Claire Tills, senior research engineer at Tenable, has gained deep insight into the operations of the LAPSUS$ group. He writes on the matter that while the group's tactics are brazen, illogical and ill-conceived, they have been successful in causing disruption at major international technology companies. This, he says, is a sobering reminder that no company is truly safe from cyberattacks, as companies large and small alike have now become fair game for attackers.


It's all about the money

Unlike ransomware operators, LAPSUS$ represents a growing group of cybercriminals who focus exclusively on data theft and extortion. They gain access to victims through proven methods such as phishing and steal the most sensitive data they can find without using data-encrypting malware. The group came into the spotlight when it launched an attack on Nvidia in late February. This attack marked the first time LAPSUS$ entered the world stage and began a brief foray through major technology companies.

Unlike other threat groups, LAPSUS$ operates exclusively through a private Telegram group and does not operate a leak site on the dark web. Through Telegram, the group announces its victims and often asks the community for suggestions on what corporate data to release next. Compared to the sophisticated, standardized websites of ransomware groups (such as AvosLocker, LockBit 2.0, Conti, etc.), these practices seem disorganized and immature.

Unconventional tactics

The LAPSUS$ group, which recently attacked a number of high-profile targets, gained notoriety for its unconventional tactics and unpredictable methods. Initial attacks included distributed denial of service (DDoS) and website vandalism. But as early as Jan. 21, the LAPSUS$ group was involved in the multi-stage system intrusion that eventually led to the Okta incident. During this development process, the group relied heavily on classic tactics such as buying credential dumps, social engineering helpdesks, and sending multifactor authentication (MFA) prompts to gain initial access to targeted companies.

Tenable concludes

"Just like ransomware, there will be no end to extortion attacks until they become too complicated or too costly," said Claire Tills, senior research engineer at Tenable. "Organizations should consider what defenses they have against the tactics being used, how they can be hardened, and whether their response plans effectively address these incidents. While it's easy to downplay threat groups like LAPSUS$, their disruption of large international technology companies reminds us that even simple tactics can have serious implications."

Similar articles:
Ubisoft hacked by Lapsus$ cyber gang (March 2022)
Cyber attacks on Nvidia and McDonalds (Feb. 25, 2022)
Samsung bestätigt Hack, Quellcodes durch Lapsus$ geleakt
Lapsus$ allegedly publishes source code of Microsoft Azure, Bing and Cortana
Authentication service OKTA hacked by Lapsus$?
Lapsus$ hacks: statements from Okta and Microsoft
Lapsus$ hacker group debunked? Teenager from Britain and Brazil suspected
Chats show: LAPSUS$ had probably also hacked T-Mobile several times

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *