Tag Archives: Lapsus$

Has Lapsus$ been arrested?

Lapsus$, which is seen as the most active threat group of recent weeks seen as responsible for attacks like Okta, Samsung, Nvidia and others. Before announcing the Okta breach, Lapsus$ also had threatened to breach Microsoft.

At the beginning of the week, Bloomberg reported that the leader of the group may be a 16-year-old English teenager.

After all these events, City of London police have arrested seven teenagers aged 16 to 21 accused of being members of the Lapsus$ group.

According to the BBC, the City of London Police have arrested seven alleged Lapsus$ members, but the leader of the group is among them has not been specified. At the time of the investigation, all of them were released. The investigation continues.

He never said anything about any hacking, but he is good with computers and spends a lot of time on them. I always thought he was playing games. We intend to limit him from computers,” the father of aforementioned boy admitted.

Lapsus$ deploys several tactics to compromise systems that other threat actors use less frequently.

Their tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multi factor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets,” said Microsoft in their blog about tactics and techniques of Lapsus$.

Lapsus$ also prefer to use Telegram for their announcements instead of forums in Dark Web or social media. Lastly, the group announced on Telegram that they will be on vacation until 30th of March, just after Okta breach.

Meanwhile, the group announced a new member as new chat moderator on Telegram today.

Latest Statement about Okta Incident and Lapsus$

Everything started with a post of Lapsus$ Telegram group including screenshots of Okta’s admin panel. We shared the news as asking whether Okta hacked?

An update about the incident came from David Bradbury, the CSO of Okta as “the Okta service has not been breached and remains fully operational. There are no corrective actions that need to be taken by our customers.

In the continuation, Okta accepts an incident like “between January 16-21, 2022, where an attacker had access to a support engineer’s laptop. This is consistent with the screenshots that we became aware of yesterday” and claiming the impact is limited to the access that support engineers have and no customers were affected.

Against this announcement, Lapsus$ made some announcements too about the incident and the post of Okta. Lapsus$ also shared the link of the Security & Privacy Document of Okta located in okta.com and claimed that they found AWS keys in Slack.

Okta Hacked?

Since December, we are reading about the actions of Lapsus$. Samsung, Nvidia, and Ubisoft were some of their victims. Analysts suspecting that some of the members of the group are from South America, and some of them from Europe.

Lastly, the group shared a screenshot on their Telegram channel that showing they reached to the console of Okta.

Okta announced that they started an investigation after the hacker group shared the screenshot.

We will provide updates as more information becomes available” said officials of Okta.

Okta is a major Single Sign-On provider and a hack can effect thousands of other companies. If verified, an attack on Okta would represent a major attack on digital supply chains. It can cause more damage than Solarwinds incident since most major applications of the customers of Okta are already placed in their Okta interface and has a single sign-on authentication.

Thousands of Keys Leaked from Samsung’s Source Code

Another victim of Lapsus$ was Samsung in recent days. We know that about 190 GB of data stolen with the leakage of Samsung by Lapsus$.

According to the analysts (mentioned as GitGuardian analysts), leaked Samsung source code showed that it contains thousands of private keys, and some of them will be very useful to cyber criminals.

Analysts have identified more than 6,600 private keys, usernames and passwords, AWS, Google and GitHub keys in leaked data. Meanwhile, they also mentioned that about 90% of the keys seems to used in internal systems and so it seems very difficult to use them for attackers.

While Lapsus$ – seems like have members both from South America and Europe – initially was attacking only Portuguese institutions, it seems their sights have expanded and in a short time, their name mentioned with NVidia, Samsung and Ubisoft incidents.

Biggest Insider Threat – Lapsus$ Job Advertisement

A few months ago, there were reports that threat groups were contacting the employees of the companies they were planning to attack and asked for their support to infiltrate in exchange for a certain share. It seems that this issue is getting more and more important every day.

Lastly, Lapsus$ group published a job advertisement that they are recruiting employees that working in certain companies including Claro, Telefonica, ATT, Microsoft, Apple and similar ones.

Insider threat is already a major risk for companies because they are trusted people of the company and have access to various data and systems. Until now, we have mostly treated internal threats as individual initiatives. These may be some employees who are unhappy, want to achieve different personal gains, just careless ones who sending e-mail to wrong destinations or untrained ones making mistakes on working systems. But with employees who started working with threat groups, insider threat goes to another dimension. Now, with the support and motivation of the threat groups, insider threats becomes more dangerous as knowing what she is doing really and is focused.

In the job advertisement, Lapsus$ also calls for the ones who are not employee but already has VPN to these companies. This also shows us the importance of the 3rd party risk and NDA agreements. even if you take adequate precautions with your own users inside – which is not 100% possible, this 3rd party connections poses great risk.

There is a lot to be done about this. As a post incident activity, the penalties given to the cases that have emerged can provide a deterrent in this regard. But the most important thing undoubtedly should be to increase the loyalty of the users to the company.