Lapsus$ Infiltrates High Profile Victims Through Employee Accounts

Diving into details

• The group deploys the RedLine password stealer to get access to session tokens and passwords.
• It buys session tokens and credentials from underground forums.
• Lapsus$, furthermore, pays employees at targeted firms for access to credentials and MFA approval.
• The gang sifts through public repositories for exposed credentials.

Major breaches 

• This week, Lapsus$ announced its breach of the identity and access management giant Okta by compromising a support engineer’s laptop. This allowed them to reset the passwords of some of their customers. The gang claimed to have admin and Superuser access to multiple systems.
• The data extortion group compromised Microsoft by hacking an employee’s account to gain limited access to repositories containing project source code. The hackers announced that they had compromised Microsoft’s Azure DevOps server. 
• Lapsus$ broke into NVIDIA’s internal network and stole sensitive data from hashed login credentials to trade secrets. 
• The gang, reportedly, abused serious flaws in the code structure and cryptographic design of the TrustZone OS that is a part of the Trusted Execution Environment (TEE) of Galaxy Smartphones. Lapsus$ extracted 190GB of sensitive data from Samsung.

Who is behind Lapsus$?

• According to Bloomberg, cybersecurity researchers traced the attacks to a 16-year-old living with his mother in England. However, they have not been able to tie every Lapsus$ hack to the teen. The alleged hacker goes by the alias “breachbase” and “White.” 
• Another gang member is suspected to be a teenager located in Brazil. The researchers detected seven unique accounts associated with the gang. This signifies that it is very likely that others are involved in the group’s operations.   
• However, Lapsus$ has poor operational security, enabling researchers to gain confidential information about the teen hackers. 

The bottom line