LAPSUS$ has been up to some serious business
So in the last month we’ve seen a hacker group called LAPSUS$ go from being a reasonably interesting annoyance to being a true menace. LAPSUS$ came to everyone’s attention when they managed to compromise Nvidia (the graphics card designer) and steal several of their graphics card designs. They then proceeded to ransom Nvidia with the release of those designs, not for money, but to make them change their business practices. Nvidia currently uses firmware level tricks to ensure that cryptocurrency mining on consumer graphics cards is inefficient and ineffective. This doesn’t tend to stop people from using them, but it does reduce the value at extremely high volume mining, which theoretically means that graphics cards are easier to buy. Given the pricing, I’m not sure anyone could say it’s working particularly well though.
What this meant LAPSUS$ was not trying to get money directly like so many other crypto gangs do, but were trying to convince Nvidia to change their firmware to allow effective mining on consumer graphics cards. This likely would generate a lot more money through mining than LAPSUS$ could get through a ransom. As part of this LAPSUS$ also tried to get Nvidia to open source their drivers. This is likely for a similar reason, however it also let them pretend to be the good guys. Nvidia is open source drivers are pretty terrible, and the open source software community can be pretty enthusiastic about open source driver software.
More recently we have learnt that LAPSUS$ has also successfully hacked Microsoft. Microsoft claims that the access was rather limited, however LAPSUS$ has released source code they claim to underpin Bing, Bing Maps, and Cortana. This is concerning as most large organisations (at least in my experience) rely on at least one piece of Microsoft software in their security stack, most commonly either Azure or Windows defender. The fact that Microsoft, even with their security capabilities, and the people who wrote and best understand them, we are unable to prevent the intrusion of these attackers or prevent them from export treating significant quantities of data, is somewhat concerning. It really does strongly suggest that regardless of who you are, or what security capabilities you have, you will be hacked, and it can be very bad when it does.
Speaking of bad, Okta has also been completely owned by LAPSUS$. That’s right, Okta the authentication company. The same guys who own Auth0, and are supposed to be the authentication/security powerhouse for the cloud. Lapses did not just gain access to Okta’s network, they gained super user access, giving them broad access to Okta’s controls and capabilities. As far as we know, this allowed them to scrape data of many clients of Okta, as well as the capability to reset passwords and (theoretically) gain access through those resets to other accounts in client organisations. One can only speculate how much access to Okta’s network has played in to LAPSUS$’s current shenanigans
Okta provided a response to these hacks that downplayed the severity of LAPSUS$’s access, and also incorrectly attributed the access that the hackers had to a compromised laptop. This resulted in LAPSUS$ correcting them out on Twitter, which is never a good thing when trying to manage the reputational impact of such a hack (especially when you are supposed to be a security company). This is more of a lesson in managing optics when you are compromised, you don’t want to lie as the attackers have Twitter accounts too, and they are also first party to the compromise!
So how have these guys gotten into all these secure networks? Brand-new zero day attacks? Really awesome skills? Government support? No, turns out its just simple low tech social engineering. Microsoft has reported after their investigation into how they got compromised that LAPSUS$ is very fond of Sim swap attacks, calling helplines to gain access manually, and straight up paying people for access. If you have never heard of a Sim swap attack before, it’s nowhere near as cool as you think. It involves the attacker convincing your phone company that you have lost access to your phone and that your number needs to be transferred to your current phone. Generally this can be achieved with open source intelligence, mostly stuff you put on LinkedIn or on Facebook. If you’ve ever transferred your phone number between Sim cards, or between phone providers, you already know what kind of information you would need. And it definitely doesn’t help that these are skilful manipulators that can convince the generally stressed and honestly uncaring technician at the other end to just switch over the number. This allows attackers to easily bypass text message multi-factor authentication. This is why you should ensure that multi-factor authentication in your company is done via token or application, never SMS or phone call.
Given the Okta manages authentication, one can imagine their clients are somewhat concerned right now regarding the security of their own authentication schemes. As Microsoft’s hack demonstrates however, even if you do it right you still might get hacked. LAPSUS$ has (allegedly) been rounded up over the last few days, so it’s unlikely you’ll find them in your network anytime soon… but the threat remains. The techniques LAPSUS$ used are not sophisticated, and any motivated individual with a mobile phone can pull it off. Realistically it’s only a matter of time before the attackers are in your network too. What you need are the tools to identify where they are, what they’re up to, and if they’ve managed to exfiltrate your web application’s source code!