Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label LAPSUS$. Show all posts
User Security
Cyber Crime LAPSUS$ Teen Hackers Threat Landscape User Security

Advanced Persistent Teenagers: A Rising Security Threat

 

If you ask some of the field's top cybersecurity executives what their biggest concerns are, you might not expect bored teenagers to come up. However, in recent years, this totally new generation of money-motivated hackers has carried out some of the biggest hacks in history and shows no signs of slowing. 

Meet the "advanced persistent teenagers," as stated by the security community. These are skilled, financially motivated attackers, such as Lapsus$ and Scattered Spider, who have proven capable of digitally breaching into hotel companies, casinos, and tech behemoths.

The hackers can deceive unsuspecting employees into giving over their company passwords or network access by using strategies such as believable email lures and convincing phone calls posing as a company's support desk. 

These attacks are extremely effective, have resulted in massive data breaches impacting millions of individuals, and have resulted in large ransoms paid to make the hackers vanish. By displaying hacking capabilities previously limited to only a few nation states, the threat from idle teenagers has forced numerous companies to confront the reality that they don't know if the personnel on their networks are who they say they are, and not a sneaky hacker. Has the threat posed by idle teens been understated, according to two respected security veterans? 

“Maybe not for much longer,” noted Darren Gruber, technical advisor in the Office of Security and Trust at database giant MongoDB, during an onstage panel at TechCrunch Disrupt. “They don’t feel as threatened, they may not be in U.S. jurisdictions, and they tend to be very technical and learn these things in different venues.”

Plus, a key automatic advantage is that these threat groups also have a lot of time on their hands. “It’s a different motivation than the traditional adversaries that enterprises see.” Gruber has dealt with a few of these threats directly. There was no evidence of access to client systems or databases, however an intrusion at the end of 2023 in MongoDB resulted in the theft of certain metadata, such as customer contact information. 

According to Gruber, the attack mirrored Scattered Spider's strategies, and the vulnerability was reportedly minimal. "The attackers posed to be employees and used a phishing lure to get into MongoDB's internal network," he claimed.
Read more »
Sensitive Information
British Cyber Laws Data Breach GamePlayerFramework Gaming Community LAPSUS$ Online Gaming Sensitive Information

GTA 6 Hacker: Life in Secure Hospital for Cybercrime Intent

The teenage hacker who leaked details about Grand Theft Auto 6 (GTA 6) is now facing a life sentence in a guarded institution, which is a surprise development. The person, identified as Lapsus, was placed under an indefinite hospital order because of worries that he would quickly return to his cybercrime operations.

The 18-year-old hacker gained notoriety for infiltrating Rockstar Games' highly anticipated GTA 6, leaking sensitive information and gameplay details to the public. His actions sparked a global uproar among gaming enthusiasts and raised questions about the vulnerability of major gaming studios to cyber threats.

Lapsus's fate took a unique twist as the court deemed him a significant cybersecurity threat, deciding to confine him to a secure hospital for an indefinite period. The severity of this sentence underscores the gravity of cybercrimes and the potential harm they can inflict on individuals and industries.

The court's decision was fueled by Lapsus's explicit intent to resume cybercriminal activities as soon as possible, as revealed during the trial. This alarming revelation highlights the challenges authorities face in deterring individuals with advanced hacking skills from engaging in illegal activities, especially when they show a clear determination to persist.

Many well-known media outlets reported on the case, highlighting the gravity of the hacker's misdeeds and providing details about the court procedures. For example, it was pointed out that the hacker's declared intention to immediately return to cybercrime is closely correlated with the decision to house him in a secure facility for the rest of his life. nevertheless, emphasized the temporary nature of the hospital order and the serious danger that Lapsus posed.

The case's implications stretch beyond the gaming community and serve as a sobering reminder of the continuous fight against cybercrime on a worldwide scale. highlighted the incident's worldwide ramifications in particular, drawing attention to the British juvenile hacker's acts and the eventual imposition of a life sentence in a guarded institution.

As The Verge pointed out, Lapsus's sentencing blurs the line between traditional imprisonment and confinement in a secure hospital, reflecting the unique challenges posed by hackers with the potential to cause significant digital harm. Security Affairs further delved into the case's specifics, providing insights into the legal aspects and the implications for future cybercrime prosecutions.

The GTA 6 hacker's sentence serves as an urgent alert regarding the evolving nature of cyber threats and the steps law enforcement must take to protect the public from those seeking to take advantage of technological weaknesses. The life sentence in a secure facility emphasizes how dangerous people who possess sophisticated hacking abilities and a strong desire to commit cybercrime again pose.


Read more »
youth crime
Cyber Crime FBI hacking ring LAPSUS$ The Com The Community youth crime

The Com: Youth Hacking Ring Executing High-profile Cybercrimes


A new threat actor community recently came to light. carrying out some malicious cyberattacks.

The online community, labelled as ‘the Com,’ apparently consist of young skilled hackers who are carrying out sophisticated campaigns and high-profile breaches. 

The hackers, who are primarily teenagers and young adults are not only executing malicious attacks but also bragging about their operations in a language filled with racist and misogynistic slurs. 

The cybersecurity researchers, who have been studying and monitoring the Com activities have urged policymakers and the cybersecurity community to confront the issue more seriously and take strong actions against the youth-led cybercrime group. While, in comparison to cybercriminal networks, state-backed hackers build a more high-profile case, recent instances of breaches led by new-generation hackers shall not be underestimated. 

One of the instances being the high-profile breach that recently shook the operations of Las Vegas resorts, including Caesars Entertainment and MGM Resorts is believed to be the doing of threat actors called “Star Fraud,” one of the subgroups of the Com. These assaults show how dangerous and serious the larger Com ecosystem is. 

The Caesars and MGM attacks were attributed to ALPHV, a Russian-based ransomware-as-a-service organization related to other attacks. The moniker "Scattered Spider," which has been linked to the attacks, is inaccurate, according to the researchers at the LABScon conference, as it combines a number of competing organizations from the Com ecosystem. Despite having similar strategies, these groups are different and might even face off against one another.

However, this does not stop here. In the past two years, some members of the threat group behind cyberattacks in corporate giants like Nvidia, Samsung, and Microsoft – Lapsus$ – are believed to have originated from the Com ecosystem. 

This incident further highlighted the reach of cybercrime on young minds. In August 2023, a Cyber Safety Review Board report on Lapsus$ suggested an investigation to Congress to explore funding programs in order to prevent juvenile cybercrime. 

In regards to the issue, the FBI has also conducted an investigation on the individuals linked with the Com for alleged cybercrime activities. 

The Com has been connected to a number of illegal activities, including swatting, SIM swapping, bitcoin theft, and even real-world assault. These young cybercriminals are skilled at social engineering, taking advantage of their fluency in English to trick IT support desks and steal crucial company credentials.

The researchers also caution that these young hackers are now working together with international ransomware syndicates, which have a history of extorting millions of dollars globally. The question of how harmful online communities can radicalize children is comparable to how Com plays a role in luring young hackers into a life of cybercrime. The researchers contend that the radicalization these hackers experience is focused on cybercrime and evolving into their worst selves.  

Read more »
uber
Data Breach Data Theft LAPSUS$ New Technology Online crimes uber

Former Uber CSO Convicted for Covering up 2016 Data Breach

 

Uber's former chief security officer, Joe Sullivan, has been found guilty of illegally trying to cover up a 2016 data breach in which threat actors accessed 57 million Uber drivers' and customers' sensitive credentials. 

Sullivan is a former cybercrime prosecutor officer of the US Department of Justice. A federal jury in San Francisco convicted him of obstructing justice and misprision – concealing a felony from law enforcement. 

On November 21, 2017, Uber CEO Dara Khosrowshahi released a statement in which he acknowledged that miscreants had broken into the app giant's infrastructure and made off with 57 million customer and driver records. As a result of it Sullivan, along with legal director of security and law enforcement Craig Clark was fired. 

"Sullivan orchestrated these acts despite knowing that the hackers were hacking and extorting other companies as well as Uber," the U.S. attorney's office said. 

Sullivan’s trial began days before when the news broke that Uber had been hacked again. Uber said the group of hackers LAPSUS$  is running a campaign against Uber. 

The group accessed and stole data of an employee’s login credential to gain wide-ranging access to Uber’s internal systems including the company’s Amazon Web Services console, Google Workspace admin dashboard for managing the Uber email accounts, VMware vSphere/ESXi virtual machines, Slack server, and bug bounty program portal. However, Uber confirmed that the hackers did not gain access to the sensitive data of customers. 

In the case of the 2016 data breach, Uber had to make two $50,000 payments to the intruders in December 2016. A month later, after managing to identify one of the attackers from the group, an Uber representative met the man in Florida and had him sign a confidentiality agreement. 

"Technology companies in the Northern District of California collect and store vast amounts of data from users. We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users,” U.S. Attorney Stephanie M. Hinds said in a statement.
Read more »
User Privacy
Cyber Crime Flashpoint LAPSUS$ Online Gaming uber United Kingdom User Privacy

Teen Hacking Suspect Arrested by London Police for GTA 6 and Uber Breach

A 17-year-old Oxfordshire kid was detained on suspicion of hacking, according to information released by the City of London Police on Friday.

According to experts, the recent security breaches at Uber and Rockstar Games may have something to do with the arrest.

On September 18, a cyber threat actor identified as the 'teapotuberhacker' claimed to have hacked Rockstar Games, the company behind the well-known and contentious Grand Theft Auto (GTA) franchise, in a post on GTAForums.com. Teapotuberhacker claimed to have taken 90 movies of alpha material and the source code for Grand Theft Auto VI and its predecessor GTA V from Rockstar in that post, which has since been removed.

Notably, a 17-year-old Oxford boy was among the seven minors who were detained. The Oxford teenager was detained after other hackers posted his name and address online. The boy had two internet aliases: 'Breachbase' and 'White'. According to the reports, the boy had earned about $14 million via data theft. 

Further information concerning the inquiry was kept under wraps by the UK authorities. 

Seven adolescents were detained and later freed by City of London police in connection with a probe into the Lapsus$ hacking organization this spring.

Uber released more information regarding the latest security breach earlier this week. According to the firm, the threat actor responsible for the intrusion is connected to the LAPSUS$ hacker organization.

Flashpoint, a security company, presented a report of the Grand Theft Auto VI data breach this week and disclosed that the name of the hacker responsible for the two attacks had been made public on a dark web forum.

The forum administrator claimed that teapotuberhacker was the same guy who had allegedly hacked Microsoft and owned Doxbin in the debate, which was titled 'The Person Who Hacked GTA 6 and Uber is Arion,' according to the story that was published by FlashPoint.

If these claims are true, which is not entirely apparent, it will assist in explaining the most recent incident that law police conducted.
Read more »
VPN
Cisco Data Breach LAPSUS$ MFA Russian Hackers Supply Chain Attack VPN

Ransomware Exposed Stolen Data From Cisco on Dark Web

Yanluowang ransomware Gang has published Cisco Systems' stolen data on the dark web and following the data leak, Cisco confirmed that the data was stolen from its network during an intrusion that took place in May. 

Cisco Security Incident Response (CSIRT) conducted an investigation wherein it was found that the attackers acquired control of a personal Google account that had the credentials saved in the browser. The threat actors compromised these credentials to launch voice phishing attacks. The idea behind the attacks was to lure the targeted employee into accepting the MFA notification. 

Cisco revealed in a report published in August that the firm's networks had been infiltrated by the Yanluowang ransomware after hackers gained access to an employee's VPN account. The company further asserted that the only information taken was employee login information from Active Directory and non-sensitive files saved in a Box account.

Once the threat actors obtained the employee's Cisco credentials, the hackers employed social engineering and other techniques to get beyond multi-factor authentication (MFA) and gather more data.

After gaining initial access, the hackers registered a list of new devices for MFA, authenticated effectively to the Cisco VPN, and dropped multiple tools in the victim network including RATs such as LogMeIn, TeamViewer, Cobalt Strike, PowerSploit, Mimikatz, and Impacket, as per Security Affairs. 

Over the weekend, Cisco said in an update that "the content of these files matched what we have detected and released.  We continue to see no effect on the business, including Cisco goods or services, confidential customer data or sensitive employee data, copyrights, or supply chain activities, which is consistent with our previous examination of this incident."

The researchers at the cybersecurity firm eSentire linked Yanluowang with "Evil Corp" (UNC2165), the Lapsus$ gang, and FiveHands malware (UNC2447).

The hacked Google account of an employee that had enabled password synchronization through Google Chrome and saved their Cisco details in the browser allowed the thieves to initially access the Cisco VPN.

The leader of Yanluowang ransomware told BleepingComputer that they had stolen thousands of files totaling 55GB from a cache that contained sensitive information including technical schematics and source code. The hacker did not offer any evidence. The only thing they provided was a screenshot showing access to what seemed like a development system. 

Erich Kron, security awareness advocate at security awareness training company KnowBe4 implies that it goes unsaid that Cisco decided against paying the ransom demanded by the ransomware group, which resulted in the stolen data being posted. 


Read more »
Yanluowang Ransomware
Cisco Data Breach LAPSUS$ MFA VPN Yanluowang Ransomware

Ransomware Gang Hacks Cisco

The Yanluowang ransomware organization broke into Cisco's business network in late May and stole internal data, the company said in a statement.

Hacker's compromised a Cisco employee's credentials after taking over a personal Google account where credentials saved in the victim's browser were being synced, according to an investigation by Cisco Security Incident Response (CSIRT) and Cisco Talos.

Cisco claims that an attacker targeted one of its employees and was only successful in stealing files from a Box folder linked to that employee's account and employee authentication information from Active Directory. According to the company, the data kept in the Box folder wasn't sensitive.

The Yanluowang threat actors hijacked a Cisco employee's personal Google account, which contained credentials synchronized from their browser, and used those credentials to enter Cisco's network.

Through MFA fatigue and a series of sophisticated voice phishing assaults carried out by the Yanluowang gang under the guise of reputable assistance businesses, the attacker persuaded the Cisco employee to accept multi-factor authentication (MFA) push alerts.

Cisco has linked the attack to an initial access broker with ties to Lapsus$, the gang that attacked several major corporations before its alleged members were apprehended by law enforcement, as well as threat actor UNC2447, a group with ties to Russia known for using the ransomware FiveHands and HelloKitty. The Yanluowang ransomware group has also been connected to the initial access broker.

In actuality, the Yanluowang ransomware organization claimed responsibility for the attack and said it had stolen about 3,000 files totaling 2.8Gb in size. According to the file names the hackers have disclosed, they may have stolen NDAs, source code, VPN clients, and other data.

The attack did not use ransomware that encrypts files. After being removed from Cisco's systems, the hackers did email Cisco executives, but it didn't contain any explicit threats or demands for ransom.






Read more »
LAPSUS$
Cyber campaign Data Breach data steal LAPSUS$

Lapsus$ Targeting SharePoint, VPNs and Virtual Machines

NCC Group on Thursday released a report in which it has described the techniques and tactics of the highly unpredictable Lapsus$ attacks, along with how Lapsus$ attacks are launched and what makes it such a unique group. 

The group currently gave up its operation following the arrests of alleged members in March. The attacks launched by the group remain confusing in both their motives and their methods. The group is known for targeting world-famous companies including Microsoft, Nvidia, Okta, and Samsung. 

According to the report, Lapsus$ used stolen authentication cookies, specifically ones used for SSO applications, to initially get access into targeted systems. With this, the threat actors also scraped Microsoft SharePoint sites used by target organizations to get credentials within technical documentation. 

"Credential harvesting and privileged escalation are key components of the LAPSUS$ breaches we have seen, with the rapid escalation in privileges the LAPSUS$ group has been seen to elevate from a standard user account to an administrative user within a couple of days," the report said. 

Following the report, it has been learned that a major goal of the group is to exploit corporate VPNs, capitalizing on their increased use of them over the last few years. 

"Access to corporate VPNs is a primary focus for this group as it allows the threat actor to directly access key infrastructure which they require to complete their objectives. In our incident response cases, we saw the threat actor leveraging compromised employee email accounts to email helpdesk systems requesting access credentials or support to get access to the corporate VPN," the report further read. 

The Group has grown in just a few months from launching a handful of sensitive attacks that were designed to steal and publish the source code of multiple top-tier technology companies. Sometimes the group is referred to as a ransomware group in reports, however, Lapsus$ is also known for not deploying ransomware in extortion attempts.
Read more »
Telegram
Atlas VPN Cyber Attacks Darkweb LAPSUS$ NVIDIA Sensitive Data Leak SIM Swapping T-Mobile Telegram

T-Mobile Reveals its Security Systems were Hacked via Lapsus$ Hackers

 

T-Mobile acknowledged on Friday it had been the subject of a security compromise in March when the LAPSUS$ mercenary group gained access to its networks. The admission occurred after investigative journalist Brian Krebs published internal chats from LAPSUS$'s key members, revealing the group had infiltrated the company many times in March previous to the arrest of its seven members. 

After analyzing hacked Telegram chat conversations between Lapsus$ gang members, independent investigative journalist Brian Krebs first exposed the incident. T-Mobile said in a statement the breach happened "a few weeks ago" so the "bad actor" accessed internal networks using stolen credentials. "There was no customer or government information or any similarly sensitive information on the systems accessed, and the company has no evidence of the intruder being able to get anything of value," he added.

The initial VPN credentials were allegedly obtained from illegal websites such as Russian Market in order to get control of T-Mobile staff accounts, enabling the threat actor to conduct SIM switching assaults at anytime. 

The conversations suggest how LAPSUS$ had hacked T-Slack Mobile's and Bitbucket accounts, enabling the latter to obtain over 30,000 source code repositories, in addition to getting key to an internal customer account management application called Atlas. In the short time since it first appeared on the threat scene, LAPSUS$ has been known for hacking Impresa, NVIDIA, Samsung, Vodafone, Ubisoft, Microsoft, Okta, and Globant. 

T-Mobile has acknowledged six previous data breaches since 2018, including one in which hackers gained access to data linked to 3% of its members. T-Mobile acknowledged it had disclosed prepaid customers' data a year later, in 2019, and unknown threat actors had acquired access to T-Mobile workers' email accounts in March 2020. Hackers also acquired access to consumer private network information in December 2020, and attackers accessed an internal T-Mobile application without authorization in February 2021. 

According to a VICE investigation, T-Mobile, unsuccessfully, tried to prevent the stolen data from being posted online after paying the hackers $270,000 through a third-party firm in the aftermath of the August 2021 breach. After its stolen sensitive information turned up for sale on the dark web, the New York State Office of the Attorney General (NY OAG) alerted victims of T-August Mobile's data breach would face elevated identity theft risks. 

The City of London Police announced earlier this month as two of the seven adolescents arrested last month for alleged potential connections to the LAPSUS$ data extortion group, a 16-year-old, and a 17-year-old had been charged.
Read more »
Social Security Number
Data Breach Healthcare Hacking LAPSUS$ Microsoft NVIDIA Ransomware Threat Samsung Social Security Number

LAPSUS$ Group Targets SuperCare Health

 


SuperCare Health, a California-based respiratory care provider, has revealed a data breach that exposed the personal details of over 300,000 patients. Someone had access to specific systems between July 23 and July 27, 2021. By February 4, the company had assessed the scope of the data breach, learning the attackers had also acquired patient files including sensitive personal information such as:
  • Names, addresses, and birth dates.
  • A medical group or a hospital.
  • Along with health insurance details, a patient's account number and a medical record number are required. 
  • Data about one's health, such as diagnostic and treatment information. 
  • A small number of people's Social Security numbers and driver's license information were also revealed. 

"We have no reason to suspect any information was published, shared, or misused," according to SuperCare Health, but all possibly impacted patients should take extra security precautions to avoid identity theft and fraud. 

On March 25, the company notified all affected customers and implemented extra security steps to prevent the following breaches. The breach has affected 318,379 people, according to the US Department of Health and Human Services. Based on the number of people affected, this is presently among the top 50 healthcare breaches disclosed in the last two years. SuperCare Health further told, "We have reported the event to a Federal Bureau of Investigation and it will cooperate to help us identify and prosecute those involved." 

In the last several months, several healthcare institutions have revealed massive data breaches. Monongalia Health System (400,000 people affected), South Denver Cardiology Associates (287,000 people affected), Norwood Clinic (228,000 people affected), and Broward Health (228,000 people affected) are among the organizations on the list (1.3 million). 

Last week, the Health Department issued an advisory to healthcare groups, warning companies about the impact of a major cybercrime attack by the Lapsus$ cybercrime group. In recent months, the hackers have targeted Samsung, NVIDIA, Vodafone, Ubisoft, Globant, Microsoft, and Okta, among others. The organization takes information, often source code, and threatens to release it unless they are paid.

LAPSUS$ steals confidential information from organizations which have been hacked, then threatens to disclose or publish the information if the requested amount is not paid. The LAPSUS$ extortion ring, on the other hand, has abandoned the typical ransomware strategies of file encryption and computer lockout. 

According to the notice, the Health Department is aware of healthcare institutions which have been hacked as a result of the Okta attack; Okta has verified that more than 300 of its clients have been affected by the breach. In the light of the incident, Police in the United Kingdom have identified and charged several accused members of the Lapsus$ gang.
Read more »
LAPSUS$
British Police Cyber Attacks Data Theft hackers group LAPSUS$

British Police Charge Teenagers in LAPSUS$ Gang Connection

 

The Police force of London city who has been investigating the Lapsus$ malicious group announced on Friday that it has charged two of the seven teenagers, a 16-year-old and a 17-year-old for their illegal connections to the LAPSUS$ data extortion group. 

The two teenagers have been charged with unauthorized access to a computer with the intention to impair the reliability of data, fraud by false representation, and unauthorized access to a computer with the intention to hinder access to data, the police force stated. 

According to a member of the police, charges come when the Police moved to catch seven suspected LAPSUS$ group members aged between 16 and 21 on March 25. 

“Both teenagers have been charged with: three counts of unauthorized access to a computer with intent to impair the reliability of data; one count of fraud by false representation and one count of unauthorized access to a computer with intent to hinder access to data,” Detective Inspector Michael O’Sullivan, from the City of London Police, said in a statement. 

In a short span of a few months, the LAPSUS$ hacker group has gained infamy in the crowded digital extortion market for their hacking records including stealing and publishing the source code of multiple top-tier technology companies on their Telegram channel, which has more than 58,000 subscribers. It's worth noting that it has exceedingly high-level of access to some of the biggest companies in the world. 

Data has shown that in the past few months, Lapsus$ has extracted data from various global giants, including Samsung, Nvidia, Microsoft, Vodafone, and Qualcomm, with the latest target being the Globant. 

The group of hackers came into the spotlight after attacking Okta, a company that facilitates organizations with security services. 

"In today's environment, threat actors favor using ransomware to encrypt data and systems and often extort victims for significant amounts of cryptocurrency in exchange for decryption keys, sometimes turning up the pressure with the threat of publishing stolen data…" 

"…LAPSUS$, however, is unusual in its approach – for this group, notoriety most often appears to be the goal, rather than financial gain”, Palo Alto Networks' Unit 42 team reported.
Read more »
Subscribe to: Posts (Atom)