LAPSUS$ Ransomware (or DEV-0537 as Microsoft calls it) is a new and emerging ransomware group that has successfully attacked major conglomerates and their latest victim is Samsung. Like most ransomware groups, LAPSUS$ also infiltrates organizations with a phishing attack. From there on, they exploit vulnerabilities like privilege escalation to get hold of administrative rights and blatantly display their abilities.
“There was a security breach relating to certain internal company data,” Samsung told Bloomberg. “According to our initial analysis, the breach involves some source code relating to the operation of Galaxy devices but does not include the personal information of our consumers or employees. Currently, we do not anticipate any impact on our business or customers. We have implemented measures to prevent further such incidents and will continue to serve our customers without disruption.”
“This week, the actor made public claims that they had gained access to Microsoft and exfiltrated portions of source code. No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity.” reads the post published by Microsoft. “Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.”
“Following the completion of the service provider’s investigation, we received a report from the forensics firm this week. The report highlighted that there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop. This is consistent with the screenshots that we became aware of yesterday.” reads the advisory published by the company. “The potential impact to Okta customers is limited to the access that support engineers have. These engineers are unable to create or delete users, or download customer databases. Support engineers do have access to limited data – for example, Jira tickets and lists of users – that were seen in the screenshots. Support engineers are also able to facilitate the resetting of passwords and multi-factor authentication factors for users, but are unable to obtain those passwords.”
“We have recently detected that a limited section of our company’s code repository has been subject to unauthorized access” – Globant
Losing your files is way more common than you’d think.
One small accident or failure could destroy all the important stuff you care about. – World Backup Day
If this doesn’t make you implement safe backup and data storage policies in your organization, we don’t know what will. Also considering that one of the group leaders is a teenager from London who operated from his house while his parents thought he was playing games, this warrants a look into your company’s insider threat policies, but we’ll talk about that in another update.
For now, let’s focus on why you should backup your data on World Backup day, but really everyday.
Remember when LAPSUS$ first breached NVIDIA and NVIDIA fought back by encrypting all of their stolen data on LAPSUS$’s servers? Despite the hack, LAPSUS$ was able to get away with it because they had backed up their stolen data. Isn’t it ironic? This teaches us that data backups are critical for your organization. Ransomware is at an all time high, and will not stop anytime soon. Threat groups like LAPSUS$ will continue to emerge in the future, especially since that ransomware has become a lucrative industry for them. Maintaining backups of your data is one approach to protect yourself and avoid paying a ransom. This way, even if your main data is encrypted, it won’t matter because you’ll have a copy of it.
Useful mitigation techniques include:
Rewterz offers a variety of data protection and recovery solutions that ensure your organization’s data recovery from destructive cyberattacks.