Lapsus$ Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/lapsus/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Mon, 25 Apr 2022 21:10:23 +0000 en-US hourly 1 https://wordpress.org/?v=67665 200474804 T-Mobile Admits that Lapsus$ Hack Group Stole Its Source Codes https://gridinsoft.com/blogs/t-mobile-admits-that-lapsus-stole-its-source-codes/ https://gridinsoft.com/blogs/t-mobile-admits-that-lapsus-stole-its-source-codes/#respond Mon, 25 Apr 2022 21:03:56 +0000 https://gridinsoft.com/blogs/?p=7574 Information security specialist Brian Krebs found out that even before the arrests, the Lapsus$ hack group managed to compromise the telecom giant T-Mobile. The company confirmed this information, saying that a few weeks ago, hackers penetrated the company’s network, gained access to internal tools and source codes. It is emphasized that at the same time,… Continue reading T-Mobile Admits that Lapsus$ Hack Group Stole Its Source Codes

The post T-Mobile Admits that Lapsus$ Hack Group Stole Its Source Codes appeared first on Gridinsoft Blog.

]]>
Information security specialist Brian Krebs found out that even before the arrests, the Lapsus$ hack group managed to compromise the telecom giant T-Mobile.

The company confirmed this information, saying that a few weeks ago, hackers penetrated the company’s network, gained access to internal tools and source codes. It is emphasized that at the same time, the attackers were unable to steal confidential information about T-Mobile customers.

Let me remind you that we have already talked about the strange hack group Lapsus$, which blackmailed Nvidia, leaked the source codes of Microsoft, as well as Ubisoft, and Samsung, compromised Okta, but fame for hackers was clearly more important than financial gain.

The well-known investigative journalist Brian Krebs, who has specialized in information security for many years and has repeatedly exposed various hack groups and helped law enforcement officers in their investigations, reported on the T-Mobile hack.

Krebs, who got into the private chats of the group members, writes that the attack on T-Mobile took place some time ago, even before the arrests of seven alleged Lapsus$ members, which UK law enforcement agencies reported at the end of March 2022.

According to the chat logs, the VPN credentials that the group used for initial access were purchased and stored on the dark web, on sites such as Russian Market. The goal of the attackers was to compromise the accounts of T-Mobile employees, which ultimately allowed them to carry out SIM-swap attacks.

T-Mobile and hack group Lapsus$

When Lapsus$ lost access to a T-Mobile employee’s account (due to the employee trying to log in or change their password), they simply found or bought a different set of T-Mobile VPN credentials. T-Mobile currently has about 75,000 employees worldwide.Krebs notes.

In addition to accessing an internal customer account management tool called Atlas, the hackers’ discussions suggest they gained access to Slack and Bitbucket accounts, using the latter to download 30,000 source code repositories.

At the same time, hackers were looking for T-Mobile accounts associated with the FBI and the US Department of Defence in Atlas (see screenshot below). To their disappointment, it turned out that additional verification procedures were needed to work with such accounts.

T-Mobile and hack group Lapsus$

Interestingly, after failing to keep records of the FBI and other intelligence agencies, the leader of the group, a 17-year-old teenager from the UK, known by the nicknames White, WhiteDoxbin and Oklaqq, told other hackers to focus on stealing source codes and breaking the VPN connection with Atlas, which WhiteDoxbin considered “garbage”. The other members of the band were extremely unhappy with this decision.

T-Mobile and hack group Lapsus$

After the publication of Krebs’s article, T-Mobile representatives confirmed the hack. The company stated:

A few weeks ago, our monitoring tools detected an attacker using stolen credentials to access internal systems hosting operational tools. The systems that were accessed contained no customer, government or other sensitive information, and we have no evidence that the attacker was able to obtain anything of value. Our systems and processes were running as normal, the attack was quickly stopped and stopped, and the compromised credentials used were retired.

The post T-Mobile Admits that Lapsus$ Hack Group Stole Its Source Codes appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/t-mobile-admits-that-lapsus-stole-its-source-codes/feed/ 0 7574
Law enforcement officers closed the hacker resource RaidForums https://gridinsoft.com/blogs/hacker-resource-raidforums/ https://gridinsoft.com/blogs/hacker-resource-raidforums/#respond Wed, 13 Apr 2022 14:28:08 +0000 https://gridinsoft.com/blogs/?p=7325 During the international operation TOURNIQUET, which was coordinated by Europol, the well-known hacker resource RaidForums, which was mainly used to trade in stolen databases, was closed. The administrator of RaidForums and two of his accomplices have been arrested, and the site’s infrastructure is now under the control of law enforcement agencies. The operation was reportedly… Continue reading Law enforcement officers closed the hacker resource RaidForums

The post Law enforcement officers closed the hacker resource RaidForums appeared first on Gridinsoft Blog.

]]>
During the international operation TOURNIQUET, which was coordinated by Europol, the well-known hacker resource RaidForums, which was mainly used to trade in stolen databases, was closed. The administrator of RaidForums and two of his accomplices have been arrested, and the site’s infrastructure is now under the control of law enforcement agencies.

The operation was reportedly prepared by the authorities of the United States, Great Britain, Sweden, Germany, Portugal and Romania for more than a year.

The US Department of Justice writes that the site administrator, known by the nickname Omnipotent, was arrested on January 31, 2022 in the UK, and he has already been charged. He was in custody from the time of his arrest until the completion of the extradition proceedings.

Since 21-year-old Portuguese citizen Diogo Santos Coelho was hiding behind the pseudonym Omnipotent, it turns out that he launched RaidForums when he was 14 years old, since the site has been running since 2015.

Law enforcers seized the domains hosting RaidForums: raidforums.com, rf.ws and raid.lol.

According to statistics from the US Department of Justice, in total, more than 10 billion unique records from hundreds of hacked databases were put up for sale on the marketplace, including those affecting people living in the United States. In turn, Europol reports that RaidForums had more than 500,000 users and was “one of the largest hacker forums in the world.” It is worth adding here that we are talking about English-language resources.

This marketplace has made a name by selling access to high-profile database leaks owned by various US corporations from various industries. They contained information about millions of credit cards, bank account numbers and routing information, as well as usernames and associated passwords needed to access online accounts.Europol said.

It is not yet known how long the investigation took overall, but law enforcement seems to have managed to get a pretty clear picture of the RaidForums hierarchy. The Europol press released notes that the people who supported the work of RaidForums were engaged in administration, money laundering, stolen and uploaded data to the site, and also bought stolen information.

At the same time, Diogo Santos Coelho, mentioned above, allegedly controlled RaidForums from January 1, 2015, that is, from the very beginning, and managed the site with the support of several administrators, organizing a structure to promote the purchase and sale of stolen data. To make a profit, the forum charged users for various membership levels and sold credits that allowed members to gain access to more privileged areas of the site or to stolen data posted on the forum.

Coelho also acted as an intermediary and guarantor between the parties, making transactions, undertaking to see that buyers and sellers would honor the agreements.

Bleeping Computer writes that back in February 2022, criminals and security researchers suspected that RaidForums had been taken over by law enforcement, as the site began displaying a login form on every page. When trying to enter the site, it simply showed the login page again, and many suspected that the site was taken over and this was a phishing attack by law enforcement agencies who are trying to get the attackers’ credentials.

On February 27, 2022, the raidforums.com DNS servers changed completely to jocelyn.ns.cloudflare.com and plato.ns.cloudflare.com, which only convinced the hackers that they were right. The fact is that in the past these DNS servers were used by other sites seized by the authorities, including weleakinfo.com and doublevpn.com.

RaidForums, which appeared back in 2015, has recently become widely known due to ransomware operators who leaked data stolen from victims to the site in order to force them to pay a ransom. For example, this tactic was previously used by Babuk and Lapsus$ operators.

However, earlier, when the resource was not so popular, its community specialized in swatting, as well as raiding, which The US Department of Justice describes it as “publishing or sending a huge number of contacts to the online medium that the victim uses to communicate.”

In recent years, the marketplace has been a favorite place for hackers to sell stolen databases or simply share them for free with other forum members.

Let me remind you that we also talked about the fact that Hydra Market Shut Down by the German Authorities.

The post Law enforcement officers closed the hacker resource RaidForums appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hacker-resource-raidforums/feed/ 0 7325
Hack group Lapsus$ returned from “vacation” and announced the hacking of Globant https://gridinsoft.com/blogs/lapsus-returned-from-vacation/ https://gridinsoft.com/blogs/lapsus-returned-from-vacation/#respond Thu, 31 Mar 2022 18:36:10 +0000 https://gridinsoft.com/blogs/?p=7232 The Lapsus$ extortionist group has returned from a “vacation” despite the recent arrest of seven of its members. The cybercriminals’ Telegram channel published data allegedly stolen from the Globant software development company. As evidence of the hack, the hackers first posted a screenshot showing a list of folders with the names of various companies from… Continue reading Hack group Lapsus$ returned from “vacation” and announced the hacking of Globant

The post Hack group Lapsus$ returned from “vacation” and announced the hacking of Globant appeared first on Gridinsoft Blog.

]]>
The Lapsus$ extortionist group has returned from a “vacation” despite the recent arrest of seven of its members. The cybercriminals’ Telegram channel published data allegedly stolen from the Globant software development company.

As evidence of the hack, the hackers first posted a screenshot showing a list of folders with the names of various companies from around the world, including Arcserve, Banco Galicia, BNP Paribas Cardif, Citibanamex, DHL, Stifel, and others.

Lapsus$ returned from vacation

A little later, the group also posted a torrent file containing 70 GB of source code allegedly stolen from Globant, as well as administrator passwords associated with Atlassian firms (including Confluence, Jira and Crucible).

Lapsus$ returned from vacation

According to the research group VX-Underground, Lapsus$ members mocked the Globant administrators and separately published some of the passwords they used. The problem is that credentials like “admin” or “admin2” are hardly reliable, easy to guess, and often reused across the company.

Representatives of Globant have not yet commented on the incident.

Let me remind you that lately the Lapsus$ hacker group has become a real cyber sensation and does not leave the front pages of IT publications around the world. These guys blackmailed Nvidia, leaked the source codes of Ubisoft, Microsoft and Samsung and compromised Okta. As the media and experts now report, the leader of this hack group may be a 17-year-old teenager from the UK, moreover, he was recently arrested by the authorities.

As Flashpoint experts noted, Lapsus $ differs from other extortion groups in that it does not encrypt the files of its victims, but penetrates the company’s network, gains access to important files, steals them, and then threatens to leak data if it is not paid a ransom.

It should also be added that Lapsus$ does not have its own “leak site” where it publishes or sells the data of its victims. All leaks and communication “with the public” take place on the hackers’ Telegram channel, which has more than 52,000 subscribers, or by mail, and the stolen data is even distributed via torrents.

In total, 19 companies and organizations have become victims of Lapsus$, while 15 of them are located in Latin America and Portugal.

The post Hack group Lapsus$ returned from “vacation” and announced the hacking of Globant appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/lapsus-returned-from-vacation/feed/ 0 7232
Management of Okta admitted they didn’t immediately disclose details about the Lapsus$ attack in vain https://gridinsoft.com/blogs/okta-and-the-lapsus-attack/ https://gridinsoft.com/blogs/okta-and-the-lapsus-attack/#respond Tue, 29 Mar 2022 19:02:21 +0000 https://gridinsoft.com/blogs/?p=7215 Last week it became known that back in January this year, the Lapsus$ hack group compromised a major provider of access and identity management systems, Okta, and the attack affected about 2.5% of customers. Between January 16 and 21, 2022, hackers had access to a support engineer’s laptop and the company now admits the hack… Continue reading Management of Okta admitted they didn’t immediately disclose details about the Lapsus$ attack in vain

The post Management of Okta admitted they didn’t immediately disclose details about the Lapsus$ attack in vain appeared first on Gridinsoft Blog.

]]>
Last week it became known that back in January this year, the Lapsus$ hack group compromised a major provider of access and identity management systems, Okta, and the attack affected about 2.5% of customers.

Between January 16 and 21, 2022, hackers had access to a support engineer’s laptop and the company now admits the hack should have been made public sooner.

In the company blog, Okta representatives expressed regret that they did not disclose details about the Lapsus$ hack earlier, and also shared a detailed chronology of the incident and its investigation. I note that after the news of the hack, the company’s shares fell by 20% in less than a week.

Okta and the Lapsus$ Attack

As it turns out, the hack affected Sitel, Okta’s third-party customer support provider.

On January 20, 2022, the Okta Security team was notified that a new factor has been added to the Sitel Customer Support Engineer account. That factor was the password. Although this particular attempt [of the attack] was not successful, as a precaution, we nullified this account and notified Sitel about what happened, and they brought in leading cybercriminologists to conduct an investigation.says the company.

Okta says it made a mistake at this stage, because ultimately Okta itself is responsible for its contracted service providers (such as Sitel). The statement also emphasizes that in January the scale of the incident was seriously underestimated, because then it seemed that everything was limited to an unsuccessful attempt to take over the account of a Sitel support engineer. In any case, the cybercriminalists involved in the investigation of the incident came to such conclusions.

We did not realize at the time that there was a risk to Okta and our customers. We should have been more active in demanding information from Sitel. In light of the evidence that we have gathered over the past week, it is clear that we would have made a different decision then if we had all the facts we have today.

Okta reiterated that the attack affected only 2.5% (366 companies) of customers, and also emphasized that the compromised Sitel engineer account could be used to repeatedly reset user passwords, but could not be used to log into their accounts, had limited access to Jira tickets and support systems, and was unable to upload, create, or delete customer records.

As a reminder, the hackers last week disputed Okta’s claim that the hack was generally unsuccessful, claiming that they” logged into the portal [as] superuser with the ability to reset the password and MFA for ~ 95% of clients.”

Let me also remind you that we were told that Lapsus$ hack group stole the source codes of Microsoft products.

The post Management of Okta admitted they didn’t immediately disclose details about the Lapsus$ attack in vain appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/okta-and-the-lapsus-attack/feed/ 0 7215
British police announced the arrest of several members of the Lapsus$ group https://gridinsoft.com/blogs/arrest-of-lapsus-group/ https://gridinsoft.com/blogs/arrest-of-lapsus-group/#respond Mon, 28 Mar 2022 18:26:47 +0000 https://gridinsoft.com/blogs/?p=7209 Recently, the hack group Lapsus$ mentioned that several of its members were going on vacation, and soon law enforcements in the UK announced the arrest of seven alleged members of Lapsus$. The hack group Lapsus$ has only recently entered the scene, but has already compromised Microsoft, Nvidia, Ubisoft and other major companies. One of the… Continue reading British police announced the arrest of several members of the Lapsus$ group

The post British police announced the arrest of several members of the Lapsus$ group appeared first on Gridinsoft Blog.

]]>
Recently, the hack group Lapsus$ mentioned that several of its members were going on vacation, and soon law enforcements in the UK announced the arrest of seven alleged members of Lapsus$.

The hack group Lapsus$ has only recently entered the scene, but has already compromised Microsoft, Nvidia, Ubisoft and other major companies.

One of the latest messages in the hack group’s Telegram channel states that some Lapsus$ members are going on vacation until the end of March.

The publication Bleeping Computer notes that the exact size and composition of the group is unknown, but it seems that the members of the group speak English, Russian, Turkish, German and Portuguese.

Arrest of Lapsus$ members

Almost simultaneously with the appearance of this message on the hacker channel, the BBC reported that earlier this week the police in London arrested seven people aged 16 to 21 “in connection with the investigation into the activities of the hacker group.”

The names of the detainees were not disclosed, but this week the media already wrote that the real identities of some Lapsus $ participants were declassified by rival hackers. In particular, according to Bloomberg, the leader of the group is a 17-year-old teenager from English Oxford, who uses the nicknames White and Breachbase.

It is believed that due to his hacking activity, he accumulated more than 300 BTC (about $13 million at the current exchange rate), including by swapping SIM cards. Along with this information, his real name, home address, date of birth, educational details, and even personal photos with his family were published.

Unit 221B working with [cyber-security company] Palo Alto after identifying the actor, watched him on his exploits throughout 2021, periodically sending law enforcement a heads-up about the latest crimes.said Allison Nixon, chief research officer at cyber-security investigation company Unit 221B.

Apparently, the alleged leader of the group was among those arrested (among them is a teenager from Oxford). His father told the TV channel that he did not know what his son was doing:

Until recently, I didn’t know anything about it. He never talked about hacking, but he is very computer savvy and spends a lot of time on the computer. I always thought he was playing. We will try to prevent him from spending time at the computer.

Let me remind you that we also said that Hackers attack hackers by spreading malware on underground forums.

The post British police announced the arrest of several members of the Lapsus$ group appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/arrest-of-lapsus-group/feed/ 0 7209
Lapsus$ hack group stole the source codes of Microsoft products https://gridinsoft.com/blogs/source-codes-of-microsoft-products/ https://gridinsoft.com/blogs/source-codes-of-microsoft-products/#respond Wed, 23 Mar 2022 15:19:23 +0000 https://gridinsoft.com/blogs/?p=7190 The Lapsus$ hack group has released the source codes for Bing, Cortana, and other Microsoft products allegedly stolen from an internal Microsoft Azure DevOps server. Over the weekend, a screenshot appeared on the Lapsus$ Telegram channel demonstrating that hackers attacked the Microsoft Azure DevOps server and got to the sources of Bing, Cortana and various… Continue reading Lapsus$ hack group stole the source codes of Microsoft products

The post Lapsus$ hack group stole the source codes of Microsoft products appeared first on Gridinsoft Blog.

]]>
The Lapsus$ hack group has released the source codes for Bing, Cortana, and other Microsoft products allegedly stolen from an internal Microsoft Azure DevOps server.

Over the weekend, a screenshot appeared on the Lapsus$ Telegram channel demonstrating that hackers attacked the Microsoft Azure DevOps server and got to the sources of Bing, Cortana and various other projects of the company.

On Monday evening, the group then torrented a 9 GB 7zip archive containing the source code for more than 250 projects that they say are owned by Microsoft.

Source code of Microsoft products

Lapsus$ states that the archive contains 90% of the Bing source code and approximately 45% of Bing Maps and Cortana code, while Bleeping Computer reports that the uncompressed archive contains approximately 37 GB of source code. At the same time, according to the hackers, only part of the source code got into the dump.

Source code of Microsoft products

Researchers that have already examined the leak confirm that the files are indeed internal Microsoft source codes. Additionally, some of the projects are reported to contain emails and documentation that were clearly used by Microsoft engineers internally to publish mobile apps.

Apparently, these projects are intended for web infrastructure, sites or mobile applications, and the sources for desktops, including Windows, Windows Server and Microsoft Office, have not been published.

Microsoft representatives say they already know about this leak, and the company is investigating what happened.

Soon, representatives of Microsoft, which tracked Lapsus$ under the identifier DEV-0537, confirmed the compromise.

In the course of this activity, source codes or customer data were not affected. Our investigation revealed that one account was compromised and this helped [the hackers] gain limited access. Our response teams quickly set about fixing the hacked account issue and preventing further action [by the attackers].

Microsoft does not consider code secrecy to be a security measure, meaning that viewing the source code does not increase the risk.

Our team was already investigating an account compromise when the attackers publicly reported their intrusion. This public announcement intensified our activity, allowing our specialists to intervene and interrupt the actions of hackers in the middle of the operation.Microsoft says.

Let me remind you that the Lapsus$ extortionist group breaks into corporate systems and steals source codes, customer lists, databases and other valuable information from companies. At the same time, attackers very rarely use a ransomware. More often, hackers simply extort ransoms from victims, demanding money, and otherwise cajoling to publish the stolen data. Previously, Lapsus$ has already attacked such giants as Samsung, Nvidia, Vodafone, Ubisoft and Mercado Libre.

Let me remind you that I also talked about the fact that 0-day vulnerability remained unpatched for 2 years due to Microsoft bug bounty issues, and also that US and UK accused China for attacks on Microsoft Exchange servers.

The post Lapsus$ hack group stole the source codes of Microsoft products appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/source-codes-of-microsoft-products/feed/ 0 7190