Information Technology

A prolific hacking gang has been making a name for itself with a string of cyberattacks against a range of high-profile targets. In the space of just a few days, a group known as Lapsus$ revealed that it has stolen data from big-name organisations including Microsoft and Okta.  The aim of the Lapsus$ campaign appears to be soliciting ransom payments, with threats to leak stolen information if its extortion demands aren’t met. While this tactic is a familiar one, often used by ransomware gangs as extra leverage to force victims to pay a ransom for a decryption key, in the case of Lapsus$, there’s no sign that ransomware is part of the attacks because no data is encrypted. 

But that doesn’t mean that the attacks aren’t damaging: Microsoft Security notes that there’s evidence of a destructive element to the attacks for victims that won’t give in to extortion demands. SEE: This sneaky type of phishing is growing fast because hackers are seeing big paydaysEnterprise identity and access management provider Okta is one of the biggest victims of Lapsus$, in an incident in which the company says attackers might have accessed information of around 2.5% of Okta customers – a figure that the company says represents 366 organisations. Okta disclosed the breach on March 22, and the company said it “contained” an attempted security breach in January. However, Lapsus$ has since claimed that is was able to access a support engineer’s laptop and have posted screenshots claiming access to systems. In a blog post, Okta says the laptop belonged to a support engineer working for a third-party provider and that Okta itself hasn’t been compromised. However, the company says it has contacted those affected.Microsoft has also confirmed that it was compromised by Lapsus$. While the company says the attackers gained limited access, the hackers have posted a torrent file claiming to hold source code from Bing, Bing Maps, and Cortana. While claiming Okta and Microsoft as victims has drawn eyes to Lapsus$, the group isn’t brand new, having been active since at least December 2021 and claiming a number of victims in recent months.One of the first victims of the group was the Brazilian Ministry of Health, which saw over 50TB worth of data stolen and deleted from its systems. Among this haul was data relating to the COVID-19 pandemic, including cases, deaths, vaccinations, and more. It took a month before systems were up and running again. Other victims of Lapsus$ attacks in recent months include a number of technology and gaming companies. In February, Nvidia fell victim to a cybersecurity incident that was attributed to Lapsus$. The group claims to have stolen over 1TB of data from the microchip manufacturer, including employee passwords. Another high-profile victim of Lapsus$ is Samsung, which confirmed that data had been breached in an attack, including source code relating to Samsung Galaxy smartphones. Samsung says no personal information was stolen in the attack.Lapsus$ also claims to have compromised video game developer Ubisoft. The company said it fell victim to a “cybersecurity incident” that forced password refreshes across the organisation. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)   Not much is known about Lapsus$ itself, other than that it’s a cyber-criminal gang – believed to operate out of South America – that hacks into the networks of large organisations to steal data and extort payments. Unlike ransomware gangs, which use dark web websites to publish stolen data, Lapsus$ uses a Telegram channel to share information about its attacks – and information stolen from its victims – directly with anyone who is subscribed to it. When it comes to conducting attacks, Lapsus$ appears to be the same as many other cyber-criminal operations, exploiting public-facing remote desktop protocol (RDP) capabilities and deploying phishing emails to gain access to accounts and networks. The group also buys stolen credentials from underground forums and searches public dumps of usernames and passwords for credentials that can be exploited to gain access to accounts. Lapsus$ also uses its public-facing Telegram channel to post messages, encouraging potential malicious insiders to come forward offering virtual private network (VPN), virtual desktop infrastructure (VDI), or Citrix credentials in exchange for an unspecified payment in an undisclosed currency. It’s unlikely the attacks will suddenly stop – the group might even be emboldened after claiming several high-profile victims – but there are steps businesses can take to help avoid falling victim to cyberattacks by Lapsus$ or other criminal hacking groups. This includes securing remote-working technologies like VPN and RDP with strong, difficult-to-guess passwords and bolstering that defence with multi-factor authentication. In addition, any users who think their account has been compromised should change their password immediately. Businesses should also train staff to identify and report phishing emails. MORE ON CYBERSECURITY More

The average Conti ransomware group member earns a salary of $1,800 per month, a figure you might consider low considering the success of the criminal gang. On Wednesday, Secureworks published a set of findings based on the group’s internal chat logs, leaked earlier this month and poured over by cybersecurity researchers ever since. 

The internal messaging records were leaked online after Conti, tracked as Gold Ulrick by Secureworks, declared its public support for Russia’s invasion of Ukraine, an ongoing conflict.   Conti is a prolific ransomware group suspected to be of Russian origin that has claimed hundreds of victim organizations worldwide. The group will infiltrate a network — whether independently or through the purchase of initial access through underground forums — steal data, encrypt networks, and will then demand a ransom. Victims who refuse to pay up may find their information leaked online.  Conti’s average ransomware demand is roughly $750,000, but depending on the size and annual revenue of a victim, blackmail payments can be set far higher, sometimes reaching millions of dollars.  Check Point researchers have previously scoured the Conti chat logs and exposed a rather “mundane” operation, the type you’d expect a typical software development business to run. This included a business infrastructure offering office, hybrid, or remote work options, performance reviews, bonuses, and a hiring process for coders, testers, system administrators, and HR.  While new members are interviewed, not everyone is told they are applying to work with a criminal outfit, as some ’employee’ messages have revealed. However, they may be offered salaries far higher than the local average to stay when the truth comes out.  According to Secureworks’ analysis of the logs, containing 160,000 messages exchanged between almost 500 individuals between January 2020 and March 2022, there were 81 people involved in payroll, with an average salary of $1,800 per month.  Payroll message to group leader Stern (Russian translation)
Secureworks
While core operators likely take a far larger slice of the pie, it is estimated that the average Russian household brings in $540 per month — and so the ‘salary’ offered by cybercriminal groups could be a strong lure. Furthermore, with the value of the Ruble tumbling due to international sanctions, this may entice more to enter this market. In addition, Secureworks has found leaks between the “designated leader” of Conti, dubbed “Stern,” and other cybercriminal groups.  Stern is a figure described as someone who makes “key organizational decisions, distributes payroll, manages crises, and interacts with other threat groups.” The team suspects that they also hold a leadership position in Gold Ulrick (Trickbot/BazarLoader).  Secureworks also found connections to the cybercriminal groups Gold Crestwood (Emotet), Gold Mystic (LockBit), and Gold Swathmore (IcedID), although this may just be for communication and/or collaborative purposes.  “The chats reveal a mature cybercrime ecosystem across multiple threat groups with frequent collaboration and support,” the researchers say. “Members of groups previously believed to be distinct collaborated and frequently communicated with members of other threat groups. This interconnectivity shows these groups’ motivations and relationships. It highlights their resourcefulness and ability to leverage subject matter expertise within the groups.” On March 20, an unnamed researcher — believed to come from Ukraine — also published a recent version of the Conti ransomware source code. The package was uploaded to VirusTotal for the benefit of cybersecurity defense teams but may also be adapted for use by threat actors.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Okta has again updated its blog post related to the LAPSUS$ intrusion from January first revealed by the hacking gang on Tuesday. “After a thorough analysis of these claims, we have concluded that a small percentage of customers — approximately 2.5% — have potentially been impacted and whose data may have been viewed or acted upon. We have identified those customers and are contacting them directly,” Okta CSO David Bradbury said. “If you are an Okta customer and were impacted, we have already reached out directly by email.” Earlier this month in its fourth-quarter results, the company said it had 15,000 customers, of which 2.5% is 375.The company said it would be conducting a pair of technical webinars on the event on Wednesday. See also: Okta: Lapsus$ attackers had access to support engineer’s laptop For its part, LAPSUS$ said it gained access to a superuser portal that could reset the password and multifactor authentication of 95% of clients. “For a company that supports zero-trust, support engineers seem to have excessive access to Slack? 8.6k channels?” the group said. “The potential impact to Okta customers is NOT limited, I’m pretty certain resetting passwords and MFA would result in complete compromise of many clients systems.”The group called on Okta to hire a cybersecurity firm and to publish any report they complete. It also claimed Okta was storing AWS keys within Slack. LAPSUS$ also added that many of its members were on holidays for the rest of the month. “We might be quiet for some times,” the group said.”Thanks for understand us — we will try to leak stuff ASAP.” Meanwhile at Redmond: Microsoft confirms LAPSUS$ hit account with limited access after gang released alleged Bing and Cortana sourceSpeaking to ZDNet last week, Cisco advisory CISO Helen Patton said CISOs were separating themselves operationally from breach reporting requirements. “So now we’ve got lawyers who are making a decision about whether something is material enough to require a report, which is not really the spirit of the regulation. But I’ve seen it in Australia, and I’m seeing it overseas as well,” she said. “This is a coping mechanism because the reporting requirements are sort of vague.” Patton said due to legal folk wanting to contain events as much as possible, they would start low and escalate the impact of events rather than starting high and walking back. “That puts the rest of the rest of us at risk, actually,” the advosry CISO said. “So the question is, what is the right level to go with? Do you oversell it or undersell it, in order to not only protect yourself, but protect the ecosystem that you’re working in?” “We are rewarded by underselling … in a lot of ways reputationally, legally, but from a risk perspective, we might want to actually oversell it because that gets more people on alert faster and hopefully gives you a faster response.” Patton said companies that issued multiple upwards revisions could appear as though they did not know what they were doing. “It’s not until you’ve had a certain amount of time to explore the incident, respond to the incident, learn from the incident that you really have good quality information,” she said. “But our regulators want us to tell them immediately when something looks funny. And there’s lots of things that look funny in our environments, because our environments they’re inherently odd. “They’re going to get a lot of really bad signals early on, and we’re going to have to work out how do you talk about that publicly when the information is really asymmetrical in terms of what you know, and what’s actually happening. It’s a problem.” Updated at 01:35pm AEDT, 23 March 2022: Added further information on LAPSUS$. Related Coverage More

Image: StackCommerce
Microsoft has confirmed the hacking gang LAPSUS$ was able to compromise an account with limited access, but that it has left the question of source code exfiltration hanging in the air. “No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity,” Microsoft said. “Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk. “Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.” On Tuesday, LAPSUS$ posted a torrent file claiming to contain source code from Bing, Bing Maps, and Cortona. “Bing maps is 90% complete dump. Bing and Cortana around 45%,” the group said. Microsoft’s confirmation of the compromise was contained in a blog post, which listed the techniques of the group. “Their tactics include phone-based social engineering: SIM-swapping to facilitate account takeover, accessing personal email accounts of employees at target organizations, paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication approval; and intruding in the ongoing crisis-communication calls of their targets,” Microsoft said. “Tactics and objectives indicate this is a cybercriminal actor motivated by theft and destruction.” The group, named DEV-0537 by Microsoft, has been observed using vulnerabilities in Confluence, JIRA, and GitLab to elevate privileges, calling helpdesks to get passwords reset, stealing Active Directory databases, and making use of NordVPN to appear as though they are in similar geography to targets. “If they successfully gain privileged access to an organization’s cloud tenant (either AWS or Azure), DEV-0537 creates Global Admin accounts in the organization’s cloud instances, sets an Office 365 tenant level mail transport rule to send all mail in and out of the organization to the newly-created account, and then removes all other Global Admin accounts, so only the actor has sole control of the cloud resources, effectively locking the organization out of all access,” Microsoft said. “After exfiltration, DEV-0537 often deletes the target’s systems and resources. We’ve observed deletion of resources both on-premises (for example, VMWare vSphere/ESX) and in the cloud to trigger the organization’s incident and crisis response process.” The group has also used internal messaging services to understand how victims are reacting. “It is assessed this provides DEV-0537 insight into the victim’s state of mind, their knowledge of the intrusion, and a venue to initiate extortion demands,” Microsoft said. “Notably, DEV-0537 has been observed joining incident response bridges within targeted organizations responding to destructive actions. In some cases, DEV-0537 has extorted victims to prevent the release of stolen data, and in others, no extortion attempt was made and DEV-0537 publicly leaked the data they stole.” In the past 24 hours, LAPSUS$ also claimed making a hit on Okta. In response, Okta said the group had access to a support engineer’s laptop over a five-day period. Retorting to Okta, the group said the compromised device was a thin client, and it gained access to a superuser portal that could reset the password and multifactor authentication of 95% of clients. “For a company that supports zero-trust, support engineers seem to have excessive access to Slack? 8.6k channels?” the group said. “The potential impact to Okta customers is NOT limited, I’m pretty certain resetting passwords and MFA would result in complete compromise of many clients systems.” The group called on Okta to hire a cybersecurity firm and to publish any report they complete. It also claimed Okta was storing AWS keys within Slack. Related Coverage More

It’s one thing for tech companies to urge users to enable multi- or two-factor authentication, but now the White House is urging all US organizations to do it because of potential cyberattacks ahead. Two-factor or multi-factor authentication (MFA) was a concept that needed to be explained carefully to the public a few years ago. It’s an approach to cybersecurity that requires users to sign in to an account with something they physically posses, such as a phone. 

ZDNet Recommends

Most companies don’t use it, even when it’s readily available, according to previously reported data from Microsoft, because they prioritize easy access to information over security.SEE: Cybersecurity: Let’s get tactical (ZDNet special report)But with the Russian invasion of Ukraine happening now, the US government has now told all organizations that MFA is a must. “Mandate the use of multi-factor authentication on your systems to make it harder for attackers to get onto your system,” the White House has warned. The message comes as the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) ramp up warnings about Russian hacking of everything from online accounts to satellite broadband networks. CISA’s current campaign is called Shields Up, which urges all organizations to patch immediately and secure network boundaries.  President Biden said the warnings around improving tech security were “based on evolving intelligence that the Russian government is exploring options for potential cyberattacks.”CISA has led most of the US’s efforts and has the authority to require critical infrastructure owners and operators to report ransomware and other incidents within 24 hours. The White House, however, has now urged all organizations, even those that are not considered critical infrastructure, to beef up their defenses.    “We accelerated our work in November of last year as Russian President Vladimir Putin escalated his aggression ahead of his further invasion of Ukraine,” the White House said in a statement. “The US government will continue our efforts to provide resources and tools to the private sector, including via CISA’s Shields-Up campaign.”SEE: How Russia’s invasion of Ukraine threatens the IT industryIt’s rare for the leader of any country to urge everyone to step up cybersecurity defenses. Biden has used executive orders to compel federal agencies to patch software, but the new message urges the private sector to do the same.Beyond the use of multi-factor authentication, the White House also urged companies to take seven other steps:Deploy modern security tools on your computers and devices to continuously look for and mitigate threatsMake sure that your systems are patched and protected against all known vulnerabilities, and change passwords across your networks so that previously stolen credentials are useless to malicious actorsBack up your data and ensure you have offline backups beyond the reach of malicious actorsRun exercises and drill your emergency plans so that you are prepared to respond quickly to minimize the impact of any attackEncrypt your data so it cannot be used if it is stolenEducate your employees to common tactics that attackers will use over email or through websitesWork with FBI and CISA to establish relationships in advance of any cyber incidents More

Researchers predict that a surge in social engineering attacks will dominate web3 and the metaverse. 

Web3 is the term coined for what could become the next face of the internet. The web has shifted from pages containing content to the growth of social media, and now, the concept of a decentralized internet is being discussed under the Web3 banner. Part of this transformation could include the ‘metaverse’ — a 3D environment and virtual world for facilitating social connections, whether personal or for work. Your ID in the metaverse may also end up linked to cryptocurrency wallets, Non Fungible Tokens (NFTs), and various smart contracts.  As technology vendors work on these concepts, cybersecurity researchers from Cisco Talos have offered their perspective on the potential threats Web3, and the metaverse will face.  The recent phishing wave experienced by OpenSea users, in which victims were duped into signing off on malicious contract transactions and handing over their NFTs, may highlight the forms of attack we may see more commonly in the future.  The first issue discussed by the team is the use of the Ethereum Name Service (ENS) and potentially upcoming similar services that are used to compact wallet addresses into a format that can be remembered easily.  As some of us speculate on the potential future value of ENS domains and register them — such as ‘businessname.eth’ — these addresses could be used as leverage in phishing attacks, especially as ENS domains are recorded on the blockchain and cannot be removed through trademark disputes easily.  “It may come as no surprise that ENS domains such as cisco.eth, wellsfargo.eth, foxnews.eth and so on are not actually owned by the respective companies who possess these trademarks, but rather they are owned by third parties who registered these names early on with unknown intentions,” Talos says. “The risk here is obvious.” In addition, those that register an ENS domain may use their names, deanonymizing an address and signaling to others what funds an individual has in their cryptocurrency wallet, potentially increasing their risk of being selectively targeted by a threat actor.  A brief search by Cisco Talos on .ENS domain holders who publicized their address revealed a number of ‘whales’ holding vast amounts of cryptocurrency and some rather lucrative NFTs. A number of holders also reveal their home towns, full names, and social media profiles — giving attackers a broader picture of individuals to target in social engineering attacks.  “For many, identifying their real-world identities and physical locations starting from the ENS domain and Twitter account was almost trivial,” the researchers say.  As Web3 will be a new concept that users will need time to learn about, a general lack of education may also make individuals more susceptible to scams and fraud.  “Unfamiliar technology can often lead users into making bad decisions,” Cisco Talos says. “Web3 is no exception. The vast majority of security incidents affecting Web3 users stem from social engineering attacks.” In addition, wallet cloning — already a threat in practice — may become a more popular attack method in the future. This requires victims to give up their seed phrase, the secret key used to retrieve lost wallets and may be requested through social engineering, acting as customer support, or by tricking wallet holders in fake verification processes. 
Cisco Talos
While Web3 is still in development, it is worth taking the time to familiarise yourself with this technology — especially if you plan to explore the decentralized world in the future. Cisco Talos also recommends implementing basic security measures, password managers, multi-factor authentication (MFA), and most importantly, remembering that you should never hand over your seed phrases.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Google has removed an app with over 1000,000 downloads from its Play Store after security researchers warned that the app was able to harvest the Facebook credentials of smartphone users.Researchers at French mobile security firm Pradeo said the app embeds Android trojan malware known as “Facestealer” because it dupes victims into typing in their Facebook credentials to a web page that transmits the credentials to the attacker’s server, which happens to be a domain that was registered in Russia. If a user adds their credentials, the makers of the Android app then have full access to victims’ Facebook accounts, including any linked payment information, such as credit card details, as well as users’ conversations and searches, according to Pradeo. 

Innovation

“It mimics the behaviors of popular legitimate photo editing applications. In fact, it has been injected with a small piece of code that easily slips under the radar of store’s safeguards,” Pradeo says in a blogpost. SEE: Best cheap 5G phone 2022: No need to pay flagship prices for quality devicesThe app ‘Craftsart Cartoon Photo Tools’ was billed as a tool that lets people “turn stunning looks from real cameras into paintings and cartoons” using advanced artificial intelligence and machine learning.  However, Android users themselves appear to have detected problems with the app, validating the idea that users should always read reviews before installing an app. “Totally fake. The way it was advertising seems like useful. Then find out just a few filter effects for any photo,” wrote one user in March. “No cartoonization anywhere. Don’t download,” wrote another. After users open the bogus photo-editing app, it opens a Facebook login page that requires the users to sign-in before they can use the app. The credentials are then transmitted to the app owner’s server. Google encourages Android users to only install apps from its app store. However, research has shown that malicious apps can make their way into the Google Play store. Google confirmed to ZDNet that the app has been removed from the Play Store and the developer banned.Pradeo in December raised an alarm about Joker malware being distributed on the Play Store that had been installed by over 500,000 users. That malicious app attempted to defraud users through premium mobile services and unwanted ads.  More

Okta says that a rapid investigation into the sharing of screenshots appearing to show a data breach relates to a “contained” security incident that took place earlier this year.  Okta, an enterprise identity and access management firm, launched an inquiry after the LAPSUS$ hacking group posted screenshots on Telegram that the hackers claimed were taken after obtaining access to “Okta.com Superuser/Admin and various other systems.”
Screenshot via Telegram
The images were shared over Telegram and various social media networks this week. 

“For a service that powers authentication systems to many of the largest corporations (and FEDRAMP approved) I think these security measures are pretty poor[…],” LAPSUS$ said. “Before people start asking, we did not access/steal any databases from Okta — our focus was only on Okta customers.”In an emailed statement on Tuesday, Okta said the screenshots shared online “appear to be connected to a security event in late January.” Okta said: “In late January 2022, Okta detected an attempt to compromise the account of a third-party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. We believe the screenshots shared online are connected to this January event.” “Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January,” Okta added.  In a tweet, Cloudflare CEO Matthew Prince added to the discussion, commenting: “We are aware that Okta may have been compromised. There is no evidence that Cloudflare has been compromised. Okta is merely an identity provider for Cloudflare. Thankfully, we have multiple layers of security beyond Okta, and would never consider them to be a standalone option.” Lapsus$ is a hacking group that has quickly raised itself through the ranks by allegedly breaking into the systems of high-profile companies, one after the other, in order to steal information and threaten to leak it online unless blackmail payments are made. Recent breaches connected to the group include those experienced by Samsung, Nvidia, and Ubisoft.  On Sunday, a screenshot was shared that suggested an alleged Microsoft breach may have taken place, potentially via an Azure DevOps account, although the post has since been deleted. Microsoft is investigating. Based in San Francisco, Okta is a publicly-traded company with thousands of customers, including numerous technology vendors. The company accounts for FedEx, Moody’s, T-Mobile, JetBlue, and ITV among its clients.  “Lapsus$ is known for extortion, threatening the release of sensitive information, if demands by its victims are not made,” commented Ekram Ahmed, spokesperson at Check Point. “The group has boasted breaking into Nvidia, Samsung, Ubisoft and others. How the group managed to breach these targets has never fully been clear to the public. If true, the breach at Okta may explain how Lapsus$ has been able to achieve its recent string [of] successes.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More