Compile the | Tina, nuclear Coke
Because engineers were "bought" by underage hackers, the source code of many enterprises such as Microsoft and NVIDIA was stolen in batches.
This week, both Microsoft and identity management platform Okta disclosed breaches orchestrated by Lapsus$. As a "new force" in the field of cybercrime, Lapsus$ specializes in stealing data from large enterprises and blackmailing the public data content to force the victims to pay ransoms. The investigation found that the organization was not a threatening "national" organization, and that its leader was no more than a teenager under the age of 18 and had not yet been formally charged with a crime.
Large enterprises have invested tens of thousands of teams and hundreds of billions of assets in security, and have zero trust, password-free authentication and other solutions on the tall, but they cannot resist a minor using the side door to attack. In this article, we'll take a look at Lapsus$'s past and present lives and see how they committed a shocking crime with relatively simple techniques.
1
Invading multiple businesses, companies are struggling to cope
This week, Microsoft was confirmed to have leaked the source code for Bing, Cortana and other projects, about 37GB, and the hacking group Lapsus$ said it contained 90 percent of the Bing source code and about 45 percent of the Bing Maps and Cortana voice assistant code.
Leaked source code project
In a recent blog post, Microsoft confirmed that it had been blackmailed by the Lapsus$ hacking group, which had hacked into the account of an employee at Microsoft and had "limited access" to the project's source code repository. Microsoft insists that the leaked code is not serious enough to increase the risk, and that "our security measures do not rely on code confidentiality."
Microsoft has always taken enterprise security seriously, and has recruited former Amazon executive Charlie Bell to serve as the newly formed security, compliance, identity and management department, which is expected to employ more than 10,000 people, accounting for 5% of Microsoft's total workforce (about 200,000 people). In terms of investment and revenue in network security, Microsoft has actually become the hegemon of network security, but unexpectedly, the investment is so large that it can be easily broken by Lapsus$.
Prior to this, Lapsus$ had leaked data from Okta, Nvidia, Samsung and Ubisoft.
Okta is a large company that provides identity verification services for fedEx and the like, and according to its website data, it has more than 15,000 customers. On Tuesday, Okta confirmed that the attacker had accessed one of its employees' laptops in January 2022, and that about 2.5% of customers may have been affected, such as customer data having been viewed.
Okta published several surveys and conducted webinar presentations, claiming that the accounts of third-party customer support engineers had been compromised, after all, it was normal for third-party contractors with multiple different cultures to do now. The account had limited functionality and the hackers only had access for 5 days. But Lapsus$ wrote in Telegram that in fact they had months of access to Okta's system and also posted screenshots of internal systems showing the hacked account as a superuser, able to modify and access customer accounts.
At the end of February, Lapsus$ publicly admitted to a cyberattack on Nvidia, claiming to have about 1 TB of data coming from NVIDIA. The hardware folder alone has 250GB containing highly confidential/secret data such as "all recent Nvidia GPUs".
In early March, the hacking group Lapsus$ posted a screenshot of c/C++ instructions in Samsung software, which was subsequently published, including the source code for each trusted applet (TA) installed in the Samsung TrustZone environment for sensitive operations, all biometric unlock device algorithms, bootloader source code for all the latest Samsung devices, source code for Samsung activation servers, and complete source code for technologies used to authorize and verify Samsung accounts. Confidential source code from Qualcomm, etc. On March 7, Samsung issued a statement confirming the data breach, which reached 190G.
On March 12, Ubisoft issued an announcement claiming that the company had experienced a "cybersecurity incident," and while attempts by attackers to breach the company's security appeared to have failed, Ubisoft initiated a company-wide password reset as a precaution.
2
Findings from Microsoft: Successfully hacking into target businesses by bribing employees
Lapsus$'s criminal "debut" was in December 2021, when the extortion was against the Brazilian Ministry of Health. In the months that followed, Lapsus$ became more and more popular as several well-known companies such as NVIDIA, Samsung and Vodafone were included in the victim list.
On Tuesday, March 22, Lapsus$ released the latest news through its Telegram channel, saying that it was releasing source code stolen from Microsoft. Microsoft said in a blog post on Tuesday that the download of Lapsus$ was intercepted halfway through and therefore did not get the full source code. The reason for this timely discovery was that Lapsus$ began to "celebrate" the illegal intrusion before the download was over, and openly discussed the illegal intrusion on the Telegram channel.
A member of lapsus$'s group admitted on Telegram that the download of source code from Microsoft had indeed been truncated.
Microsoft wrote in a blog post, "The other party's public disclosure reminded us to upgrade the protection measures in a timely manner, and the Microsoft team was able to intervene and interrupt the other party's data download." In our investigation, we found that one account had been compromised, resulting in limited access. "From this incident, Lapsus$ seems to be a lot like the fledgling hairy boy who desperately wants to make a name – but on the contrary, Lapsus$'s attack strategy is quite mature and deserves the attention of the enterprise security department. Microsoft says Lapsus$ (microsoft internally names it DEV-0537, the typical engineer naming method) is primarily used through social engineering to achieve illegal intrusions. Specifically, Lapsus$ bribes or fraud against employees of the target organization and its partners, such as call centers and help desks, in order to gain internal access.
Microsoft wrote, "Microsoft discovered that the gang had successfully hacked into the target organization by bribing employees (or employees from vendors/business partners)." ”
The blog post further added:
DEV-0537 also advertises that they are willing to buy credentials for specific targets, blatantly wooing internal employees or contractors. To close the deal, the co-conspirator must provide their login credentials and pass the Multi-Factor Authentication (MFA) prompt, or install AnyDesk or other remote management software on the company workstation on behalf of the gang to help the attacker gain control of the authenticated system. In addition to this, DEV-0537 has prepared a variety of other ways to disrupt secure access and business relationships between the target organization and its service provider/supply chain. ”
Currently, Lapsus$'s Telegram channel has more than 45,000 subscribers. Microsoft noted that Lapsus$ had posted an ad on the channel to recruit internal employees from major mobile phone vendors, large software and gaming companies, managed services companies, and call centers.
Sources tell us that Lapsus$ has been buying off internal employees through various social media platforms since at least November 2021. Last year, one of the core members of the Lapsus$ gang used nicknames like "Oklaqq" and "WhiteDoxbin" to post job postings on Reddit, offering a $20,000-a-week price tag for AT&T, T-Mobile, and Verizon employees in exchange for some "internal work."
Lapsus$ core member Oklaqq (aka WhiteDoxbin) has offered to buy in-house employees of major U.S. mobile operators for $20,000 a week.
A significant portion of Lapsus$ job advertisements are written in English and Portuguese. According to cyber intelligence firm Flashpoint, most of the gang's victims(15 of them) are also concentrated in South America and Portugal.
Flashpoint wrote in its analysis, "Lapsus$ does not currently operate any over-the-net/dark-web leak sites or traditional social media accounts – they only communicate operationally via Telegram and email." Lapsus$ seems sophisticated and is launching wave after wave of high-profile data breaches. The gang claims not to receive support at the national level, so it is likely that the operators behind it are experienced and have demonstrated deep technical knowledge and competence. ”
Microsoft mentioned that Lapsus$ wanted to start with the personal email accounts of the target organization's employees because they knew that most employees would now work with vPNs to remotely access the employer network.
Microsoft wrote, "In some cases, Lapsus$ will first target and seize personal or private (non-work-related) accounts, waiting for the other person to complete the access before searching for additional credentials that can be used to access enterprise systems." Considering that employees often use personal accounts or numbers as two-factor authentication or password recovery methods, the gang also decided to implement password reset and account recovery operations. In other cases, Lapsus$ has also called the target organization's help desk in an attempt to induce technical support personnel to reset credentials for a high-privilege account.
Microsoft also explained, "The gang will send a native English-speaking member to use the information collected before, such as a profile picture, to talk to customer service personnel to enhance the effectiveness of social engineering." From what has been observed, DEV-0537 attempts to gain the trust of customer service by answering recovery prompts, such as 'the first street you live on' or 'mother's original name'. At present, many organizations use outsourced forms of customer service, and DEV-0537's strategy is to use this fractured relationship and trick customer service personnel into handing over their permissions to improve their capabilities. ”
Lapsus$ recruits internal employees through the Telegram channel.
3
Bypass security by changing your phone card
Microsoft mentioned that Lapsus$ also accessed key accounts of the target organization by exchanging a mobile phone card. During this time, the attackers bribe or induce employees of mobile operators to transfer the targeted mobile phone number to the device they specify. Based on this, the attacker can obtain a one-time password sent to the victim via sms or phone call and use it to reset the password of the online account verified in the form of a text message.
Microsoft wrote, "Their strategies include social engineering in the form of calls, swapping phone cards to achieve account takeovers, accessing the personal email accounts of employees of the target organization, bribing employees/vendors/business partners of the target organization to obtain access credentials and pass multi-factor authentication (MFA), and hacking into the target's emergency communication call after it has discovered the threat." ”
Unit 221B, a New York-based cybersecurity consulting firm, has been keeping a close eye on cybercrime activities such as mobile phone card swapping. Nixon has worked with security vendor Palo Alto Networks and tracked several of lapsus$ before it was founded. Based on long-term research, they found that the gang has been using social engineering techniques to corrupt internal employees and contractors of major mobile operators.
Nixon explains, "Lapsus$ may have been the first 'alternative' criminal gang, and it made the world realize that the telecom operating system is not monolithic, and there are many 'soft targets' that can be exploited." Until then, cybercriminal groups rarely thought about it that way. ”
Microsoft noted that Lapsus$ has also deployed "Redline" password-stealing software, searched for exposed passwords in public code repos, and purchased credentials and session tokens from criminal forums. In short, lapsus$ is not picky about specific attack ideas as long as it can successfully break into victim organizations.
There is also an interesting point. Nixon found that at least one member of the Lapsus$ gang appeared to have been involved in last year's intrusion against game developer EA, with the extortionist saying it would make the 780 GB game source code public if it didn't pay the ransom. In interviews with the media, the hackers claimed that the EA Slack channel authentication cookie they used to access EA data was bought from the Genesis DarkNet Marketplace.
According to media reports at the time, "the hackers said they used authentication cookies to disguise themselves as EA employee accounts that had logged in and then accessed the EA Slack channel." They then tricked EA IT support into handing over access to the company's internal network. ”
Why does Nixon assert that Lapsus$ is most likely behind the EA attack? Because the "WhiteDoxbin/Oklaqq" that appears in the screenshot of the previous job posting seems to be the leader of the Lapsus$ gang and has used multiple nicknames in multiple Telegram channels. But Telegram has a feature that assigns all nicknames under the same account to the same Telegram ID, so you can see that this is all about the same person.
Back in May 2021, WhiteDoxbin's Telegram ID created an account on the Telegram service to launch distributed denial-of-service (DDoS) attacks when they referred to themselves as "@breachbase." Last year, the news of EA's hacking was first published by the user "Breachbase" on the English-speaking hacking community RaidForums and caused a strong reaction among underground cybercriminals. Incidentally, the RaidForums website has recently been shut down by the FBI.
4
The lead big brother is actually a minor?
Nixon mentioned that as the more explicit Lapsus$ lead big brother, WhiteDoxbin is basically the same person as the buyer who bought the Doxbin website last year. Doxbin is a pure text website where anyone can post information and query hundreds of thousands of "human flesh search" data that has been made public at any time.
Apparently, the new owner of Doxbin did not perform well, leading several core members of the site to unceremoniously criticize his management ability.
Nixon mentions, "This guy is definitely not a good administrator and can't even keep the site running. The Doxbin community was so upset with this that it began targeting and even harassing WhiteDoxbin. ”
Nixon also noted that in January 2022, WhiteDoxbin reluctantly relinquished control of the Doxbin website, selling the forum back to its previous owner at a discount. But just before giving up ownership, WHiteDoxbin leaked the entire Doxbin dataset (including private search results that had not yet been officially released and were only saved as drafts) to the public via Telegram.
The Doxbin community naturally reacted violently, launching one of the most thorough "human flesh searches" in whiteDoxbin's history, even publishing a photograph of a night tour supposedly taken near his home in the UK.
According to Doxbin users, WhiteDoxbin's money comes from buying and selling zero-day vulnerabilities — security vulnerabilities in popular software and hardware that even developers aren't aware of.
According to doxbin, "He slowly made money and further expanded the scope of the exploit." In a few years, his net worth has been perused over 300 bitcoins (close to $14 million). ”
In 2020, WhiteDoxbin debuted as Breachbase on RaidForums. They took out $1 million worth of bitcoin and intended to buy zero-day vulnerabilities from various remote access/collaboration tools such as Github, Gitlab, Twitter, Snapchat, Cisco VPN, Pulse VPN, and more.
Breachbase posted on Raid Forums in October 2020, "My first budget is $100,000 worth of Bitcoin, and anyone who provides valuable information can get $10,000." Also, if you know someone else or place selling this information, please reply. Note: Zero-day vulnerabilities you provide must have high/significant impact. ”
But WhiteDoxbin's real name has not been made public on the grounds that he is still a minor (currently 17 years old) and has not been formally charged with a crime. But Doxbin's human flesh search entries already contain personal information about WhiteDoxbin family members.
Nixon said that before organizing Lapsus$, WhiteDoxbin was a founding member of a cybercrime gang calling itself the "Recursion Team." According to the information archived on the website, the gang mainly participated in mobile phone card replacement and "fake alarm" attacks, that is, violent scenes such as fictitious bomb threats and hostage hijacking to report to the police, inducing the other party to go to a pre-designed deadly ambush.
The Recursion Team is now defunct, but their website reads, "We are made up of web enthusiasts majoring in security infiltration, software development, and botnets. Our program is promising and we look forward to welcoming you! ”
Reference Links:
https://www.bleepingcomputer.com/news/microsoft/lapsus-hackers-leak-37gb-of-microsofts-alleged-source-code/
https://www.theverge.com/2022/3/22/22990637/okta-breach-single-sign-on-lapsus-hacker-group
https://twitter.com/theprincessxena/status/1506647842424856580
https://twitter.com/_MG_/status/1506109152665382920
https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/