LAPSUS$ Cyber Attacks – A Chaotic Debut In 2022 – Rewterz Threat Assistance

Introduction

LAPSUS$ Ransomware (or DEV-0537 as Microsoft calls it) is a new and emerging ransomware group that has successfully attacked major conglomerates and their latest victim is Samsung. Like most ransomware groups, LAPSUS$ also infiltrates organizations with a phishing attack. From there on, they exploit vulnerabilities like privilege escalation to get hold of administrative rights and blatantly display their abilities.

An Activity Round-Up for LAPSUS$

• LAPSUS$ claims to have stolen data from Samsung. They announced their telegram channel and also shared screenshots of the data. Stolen data contains confidential Samsung source code, including:
  • DEVICES/HARDWARE -Source code for every Trusted Applet (TA) installed on all Samsung devices’TrustZone (TEE) with specific code for every type of TEE OS (QSEE, TEEGris, etc). THIS INCLUDES DRM MODULES AND KEYMASTER/GATEKEEPER!
  • Algorithms for all biometric unlock operations, including source code that communicates directly with the sensor (down to the lowest level, we’re talking individual RX/TX bitstreams here).
  • Bootloader source code for all recent Samsung devices, including Knox data and code for authentication.
  • Various other data, confidential source code from Qualcomm

“There was a security breach relating to certain internal company data,” Samsung told Bloomberg. “According to our initial analysis, the breach involves some source code relating to the operation of Galaxy devices but does not include the personal information of our consumers or employees. Currently, we do not anticipate any impact on our business or customers. We have implemented measures to prevent further such incidents and will continue to serve our customers without disruption.”

• LAPSUS$ Threat group has allegedly breached Okta. This news comes in the same week when the group announced their infiltration of Microsoft’s Azure DevOps. If the shared screenshots are true, then LAPSUS$ has access to Microsoft’s internal source-code repositories.
• The gang has previously compromised NVIDIA, Samsung, Vodafone, Mercado Libre, and Ubisoft. They have also started a recruitment campaign for insiders employed at conglomerates like Microsoft, Apple, and IBM.
• Now, the LAPSUS$ group has shared screenshots that provide legitimacy to their claim that they have breached Okta.
• Okta is an IDaaS (Identity as a Service) platform that is used to secure employee and customer identities. Big names like Hitachi, T-Mobile, HP, and Siemens use Okta. The worst part is that if the screenshots shared by LAPSUS$ are real, that means that the group breached Okta 2 months ago and has had access ever since.

“This week, the actor made public claims that they had gained access to Microsoft and exfiltrated portions of source code. No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity.” reads the post published by Microsoft. “Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.”

• Okta’s CEO confirmed the breach saying:

“Following the completion of the service provider’s investigation, we received a report from the forensics firm this week. The report highlighted that there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop. This is consistent with the screenshots that we became aware of yesterday.” reads the advisory published by the company. “The potential impact to Okta customers is limited to the access that support engineers have. These engineers are unable to create or delete users, or download customer databases. Support engineers do have access to limited data – for example, Jira tickets and lists of users – that were seen in the screenshots. Support engineers are also able to facilitate the resetting of passwords and multi-factor authentication factors for users, but are unable to obtain those passwords.”

• Now, some members of the group have been arrested by the City of London Police due to their data breaches in Nvidia, Microsoft, Ubisoft, Samsung, and Okta. While the LAPSUS$ gang announced that some members are taking a vacation, the City of London Police said that it had arrested seven people aged 16 to 21 “in connection with an investigation into a hacking group” and that all of them are under investigation.
• LAPSUS$ Threat group has also breached Globant, and the organization has also released a statement on it. Globant, with its HQ in Luxembourg, has well-known customers like Google, Electronic Arts, Autodesk, Rockwell Automation, among others.

“We have recently detected that a limited section of our company’s code repository has been subject to unauthorized access” – Globant

• LAPSUS$ has since published credentials that grant “administrator access” to these platforms used by Globant for collaborating, reviewing, and developing codes.

TTPs (Tactics, Techniques, and Procedures) of the group

1. Using Redline password stealer to obtain session tokens and passwords.
2. Using underground criminal forums to purchase compromised credentials.
3. They have also started a recruitment campaign for insiders employed at conglomerates like Microsoft, Apple, and IBM.
4. Searching for exposed credentials in public code repositories.

Why Backup your data?

• LAPSUS$ stole 1TB of data from NVIDIA and initially leaked 20GB of it online.
• They have also claimed to have stolen 200GB of source code files from Vodafone.
• 190GB of Samsung’s source code was also stolen by the group. 
• The group has also leaked 37GB of Microsoft’s source code.
• The group leaked 70GB of data stolen from Globant. 

If this doesn’t make you implement safe backup and data storage policies in your organization, we don’t know what will. Also considering that one of the group leaders is a teenager from London who operated from his house while his parents thought he was playing games, this warrants a look into your company’s insider threat policies, but we’ll talk about that in another update.

For now, let’s focus on why you should backup your data on World Backup day, but really everyday. 

Remember when LAPSUS$ first breached NVIDIA and NVIDIA fought back by encrypting all of their stolen data on LAPSUS$’s servers? Despite the hack, LAPSUS$ was able to get away with it because they had backed up their stolen data. Isn’t it ironic? This teaches us that data backups are critical for your organization. Ransomware is at an all time high, and will not stop anytime soon. Threat groups like LAPSUS$ will continue to emerge in the future, especially since that ransomware has become a lucrative industry for them. Maintaining backups of your data is one approach to protect yourself and avoid paying a ransom. This way, even if your main data is encrypted, it won’t matter because you’ll have a copy of it.

Remediation

Useful mitigation techniques include:

• Logging – Log your eCommerce environment’s network activity and web server activity.
• Passwords – Ensure that general security policies are employed including: implementing strong passwords, correct configurations, and proper administration security policies.
• Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
• WAF – Web defacement must be stopped at the web application level. Therefore, set up a Web Application Firewall with rules to block suspicious and malicious requests.
• Patch – Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Secure Coding – Along with network and system hardening, code hardening should be implemented within the organization so that websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• 2FA – Enable two-factor authentication.
• Antivirus – Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using a multi-layered protection is necessary to secure vulnerable assets.
• Employee Training – Employees should be well-versed in social engineering tactics and threats, and how to defend against them. Seminars, training, and employee orientations of cybersecurity best policies and threats is crucial.  
• Insider Threat – If job satisfaction and employee enthusiasm is high, it will reduce your risk of insider threats immensely. Taking extra measures to resolve employee grievances and problems is essential to do that. 

Rewterz offers a variety of data protection and recovery solutions that ensure your organization’s data recovery from destructive cyberattacks.