Through a number of breaches, the Lapsus$ cybercriminal group was capable of steal supply code from T-Mobile, says KrebsOnSecurity.
T-Mobile was the sufferer of a sequence of knowledge breaches carried out by the Lapsus$ cybercrime group in March. In a submit from Friday, safety website KrebsOnSecurity revealed leaked chat messages between members of the Lapsus$ gang wherein they mentioned focusing on T-Mobile staff with social engineering techniques designed to present them entry to a sufferer’s cell phone quantity. Known as SIM swapping, this tactic reassigns a telephone quantity to a tool owned by the attackers, permitting them to intercept textual content messages and telephone requires password resets and multi-factor authentication codes.
SEE: Mobile gadget safety coverage (TechRepublic Premium)
Using T-Mobile VPN credentials bought on the darkish net, the Lapsus$ members had been capable of acquire entry to Atlas, a T-Mobile device for managing buyer accounts, in keeping with KrebsOnSecurity. As among the gang members argued over whether or not to concentrate on the SIM swapping tactic, one individual used the entry to run an automatic script that downloaded greater than 30,000 supply code repositories from T-Mobile.
In response to the incidents, T-Mobile shared the next assertion with KrebsOnSecurity:
“Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software,” stated T-Mobile. “The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value. Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete.”
Surfacing round December of 2021, Lapsus$ has made a reputation for itself with a mix of various techniques, together with shopping for stolen information on the darkish net, scanning public code repositories for uncovered credentials, utilizing password stealers, paying staff to share delicate information and using social engineering tips to realize entry to confidential accounts. Since then, the group has focused quite a few excessive profile corporations, akin to Microsoft, Nvidia, Samsung and Okta.
“These high-profile attacks from Lapsus$ highlight just how dangerous stolen credentials and social engineering attacks still remain,” stated Ivan Righi, senior cyber menace intelligence analyst at Digital Shadows. “Lapsus$ attacks aren’t highly sophisticated. They usually initiate their attacks by using stolen credentials and then attempt to bypass multi-factor authentication using social engineering schemes. It is likely that Lapsus may be acquiring these credentials from underground marketplaces and AVC sites, such as the Russian market, which offer a variety of credentials for sale at a low price.”
Ironically, the gang’s overt strategies of assault and fondness for drawing consideration to itself acquired it into hassle with regulation enforcement. Following the most recent assaults, a number of energetic members of Lapsus$ had been arrested in March. Despite these key arrests, although, the group nonetheless appears to be in enterprise as different members have picked up the slack by staging further assaults.
The strategies utilized by Lapsus$ additionally clearly present the place organizations are nonetheless failing in terms of cybersecurity.
“Unsurprisingly, stolen credentials continue to be a preferred method of compromise,” stated Tim Wade, deputy CTO at Vectra. “Perhaps what is surprising for many organizations is just how many risks exist around credentials and how often an inability to effectively gauge risks to their posture or detect and respond when something goes awry gives an adversary an opportunity to step up to the batter’s box. Organizations need to intentionally think long and hard at not only how they’ll manage risks on the front edge, but how they’ll uncover and expel an adversary post-compromise.”
Many organizations concentrate on safety instruments and applied sciences however neglect to contemplate the person.
“The TTPs used by Lapsus$ are not novel, but it does highlight a common weakness in cybersecurity — the user,” Righi stated. “Even the most secure technical controls may be bypassed by threat actors who are highly skilled in social engineering, and users who use the same credentials across multiple accounts may be putting their organizations at risk.”
More organizations are utilizing multi-factor authentication to guard their person accounts. But the kind of MFA applied makes an enormous distinction in safety. The assaults staged by Lapsus$ level to the hazards of utilizing SMS messages or telephone requires MFA, in keeping with Righi, because the group has relied on phone-based social engineering schemes to compromise accounts.