Conti’s Ransomware Toll on the Healthcare Industry

April 18, 2022

Conti — one of the most ruthless and successful Russian ransomware groups — publicly declared during the height of the COVID-19 pandemic that it would refrain from targeting healthcare providers. But new information confirms this pledge was always a lie, and that Conti has launched more than 200 attacks against hospitals and other healthcare facilities since first surfacing in 2018 under its earlier name, “Ryuk.”

On April 13, Microsoft said it executed a legal sneak attack against Zloader, a remote access trojan and malware platform that multiple ransomware groups have used to deploy their malware inside victim networks. More specifically, Microsoft obtained a court order that allowed it to seize 65 domain names that were used to maintain the Zloader botnet.

Microsoft’s civil lawsuit against Zloader names seven “John Does,” essentially seeking information to identify cybercriminals who used Zloader to conduct ransomware attacks. As the company’s complaint notes, some of these John Does were associated with lesser ransomware collectives such as Egregor and Netfilim.

But according to Microsoft and an advisory from the U.S. Cybersecurity & Infrastructure Security Agency (CISA), Zloader had a special relationship with Ryuk/Conti, acting as a preferred distribution platform for deploying Ryuk/Conti ransomware.

Several parties backed Microsoft in its legal efforts against Zloader by filing supporting declarations, including Errol Weiss, a former penetration tester for the U.S. National Security Agency (NSA). Weiss now serves as the chief security officer of the Health Information Sharing & Analysis Center (H-ISAC), an industry group that shares information about cyberattacks against healthcare providers.

Weiss said ransomware attacks from Ryuk/Conti have impacted hundreds of healthcare facilities across the United States, including facilities located in 192 cities and 41 states and the District of Columbia.

“The attacks resulted in the temporary or permanent loss of IT systems that support many of the provider delivery functions in modern hospitals resulting in cancelled surgeries and delayed medical care,” Weiss said in a declaration (PDF) with the U.S. District Court for the Northern District of Georgia.

“Hospitals reported revenue losses due to Ryuk infections of nearly $100 million from data I obtained through interviews with hospital staff, public statements, and media articles,” Weiss wrote. “The Ryuk attacks also caused an estimated $500 million in costs to respond to the attacks – costs that include ransomware payments, digital forensic services, security improvements and upgrading impacted systems plus other expenses.” Continue reading

Microsoft Patch Tuesday, April 2022 Edition

April 13, 2022

Microsoft on Tuesday released updates to fix roughly 120 security vulnerabilities in its Windows operating systems and other software. Two of the flaws have been publicly detailed prior to this week, and one is already seeing active exploitation, according to a report from the U.S. National Security Agency (NSA).

Of particular concern this month is CVE-2022-24521, which is a “privilege escalation” vulnerability in the Windows common log file system driver. In its advisory, Microsoft said it received a report from the NSA that the flaw is under active attack.

“It’s not stated how widely the exploit is being used in the wild, but it’s likely still targeted at this point and not broadly available,” assessed Dustin Childs with Trend Micro’s Zero Day Initiative. “Go patch your systems before that situation changes.”

Nine of the updates pushed this week address problems Microsoft considers “critical,” meaning the flaws they fix could be abused by malware or malcontents to seize total, remote access to a Windows system without any help from the user.

Among the scariest critical bugs is CVE-2022-26809, a potentially “wormable” weakness in a core Windows component (RPC) that earned a CVSS score of 9.8 (10 being the worst). Microsoft said it believes exploitation of this flaw is more likely than not.

Other potentially wormable threats this month include CVE-2022-24491 and CVE-2022-24497, Windows Network File System (NFS) vulnerabilities that also clock in at 9.8 CVSS scores and are listed as “exploitation more likely by Microsoft.”

“These could be the kind of vulnerabilities which appeal to ransomware operators as they provide the potential to expose critical data,” said Kevin Breen, director of cyber threat research at Immersive Labs. “It is also important for security teams to note that NFS Role is not a default configuration for Windows devices.” Continue reading

Advertisement

RaidForums Gets Raided, Alleged Admin Arrested

April 12, 2022

The U.S. Department of Justice (DOJ) said today it seized the website and user database for RaidForums, an extremely popular English-language cybercrime forum that sold access to more than 10 billion consumer records stolen in some of the world’s largest data breaches since 2015. The DOJ also charged the alleged administrator of RaidForums — 21-year-old Diogo Santos Coelho, of Portugal — with six criminal counts, including conspiracy, access device fraud and aggravated identity theft.

The “raid” in RaidForums is a nod to the community’s humble beginnings in 2015, when it was primarily an online venue for organizing and supporting various forms of electronic harassment. According to the DOJ, that early activity included ‘raiding‘ — posting or sending an overwhelming volume of contact to a victim’s online communications medium — and ‘swatting,’ the practice of making false reports to public safety agencies of situations that would necessitate a significant, and immediate armed law enforcement response.”

But over the years as trading in hacked databases became big business, RaidForums emerged as the go-to place for English-speaking hackers to peddle their wares. Perhaps the most bustling marketplace within RaidForums was its “Leaks Market,” which described itself as a place to buy, sell, and trade hacked databases and leaks.

The government alleges Coelho and his forum administrator identity “Omnipotent” profited from the illicit activity on the platform by charging “escalating prices for membership tiers that offered greater access and features, including a top-tier ‘God’ membership status.”

“RaidForums also sold ‘credits’ that provided members access to privileged areas of the website and enabled members to ‘unlock’ and download stolen financial information, means of identification, and data from compromised databases, among other items,” the DOJ said in a written statement. “Members could also earn credits through other means, such as by posting instructions on how to commit certain illegal acts.”

Prosecutors say Coelho also personally sold stolen data on the platform, and that Omnipotent directly facilitated illicit transactions by operating a fee-based “Official Middleman” service, a kind of escrow or insurance service that denizens of RaidForums were encouraged to use when transacting with other criminals.

Investigators described multiple instances wherein undercover federal agents or confidential informants used Omnipotent’s escrow service to purchase huge tranches of data from one of Coelho’s alternate user  identities — meaning Coelho not only sold data he’d personally hacked but also further profited by insisting the transactions were handled through his own middleman service.

Not all of those undercover buys went as planned. One incident described in an affidavit by prosecutors (PDF) appears related to the sale of tens of millions of consumer records stolen last year from T-Mobile, although the government refers to the victim only as a major telecommunications company and wireless network operator in the United States.

On Aug. 11, 2021, an individual using the moniker “SubVirt” posted on RaidForums an offer to sell Social Security numbers, dates of birth and other records on more than 120 million people in the United States (SubVirt would later edit the sales thread to say 30 million records). Just days later, T-Mobile would acknowledge a data breach affecting 40 million current, former or prospective customers who applied for credit with the company.

The government says the victim firm hired a third-party to purchase the database and prevent it from being sold to cybercriminals. That third-party ultimately paid approximately $200,000 worth of bitcoin to the seller, with the agreement that the data would be destroyed after sale. “However, it appears the co-conspirators continued to attempt to sell the databases after the third-party’s purchase,” the affidavit alleges.

The FBI’s seizure of RaidForums was first reported by KrebsOnSecurity on Mar. 23, after a federal investigator confirmed rumors that the FBI had been secretly operating the RaidForums website for weeks. Continue reading

Double-Your-Crypto Scams Share Crypto Scam Host

April 11, 2022

Online scams that try to separate the unwary from their cryptocurrency are a dime a dozen, but a great many seemingly disparate crypto scam websites tend to rely on the same dodgy infrastructure providers to remain online in the face of massive fraud and abuse complaints from their erstwhile customers. Here’s a closer look at hundreds of phony crypto investment schemes that are all connected through a hosting provider which caters to people running crypto scams.

A security researcher recently shared with KrebsOnSecurity an email he received from someone who said they foolishly invested an entire bitcoin (currently worth ~USD $43,000) at a website called ark-x2[.]org, which promised to double any cryptocurrency investment made with the site.

The ark-x2[.]org site pretended to be a crypto giveaway website run by Cathie Wood, the founder and CEO of ARKinvest, an established Florida company that manages several exchange-traded investment funds. This is hardly the first time scammers have impersonated Wood or ARKinvest; a tweet from Wood in 2020 warned that the company would never use YouTube, Twitter, Instagram or any social media to solicit money.

At the crux of these scams are well-orchestrated video productions published on YouTube and Facebook that claim to be a “live event” featuring famous billionaires. In reality, these videos just rehash older footage while peppering viewers with prompts to sign up at a scam investment site — one they claim has been endorsed by the celebrities.

“I was watching a live video at YouTube where Elon Musk, Cathy Wood, and Jack Dorsey were talking about Crypto,” the victim told my security researcher friend. “An overlay on the video pointed to subscribing to the event at their website. I’ve been following Cathy Wood in her analysis on financial markets, so I was in a comfortable and trusted environment. The three of them are bitcoin maximalists in a sense, so it made perfect sense they were organizing a giveaway.”

“Without any doubt (other than whether the transfer would go through), I sent them 1 BTC (~$42,800), and they were supposed to return 2 BTC back,” the victim continued. “In hindsight, this was an obvious scam. But the live video and the ARK Invest website is what produced the trusted environment to me. I realized a few minutes later, when the live video looped. It wasn’t actually live, but a replay of a video from 6 months ago.”

Ark-x2[.]org is no longer online. But a look at the Internet address historically tied to this domain (186.2.171.79) shows the same address is used to host or park hundreds of other newly-minted crypto scam domains, including coinbase-x2[.]net (pictured below).

The crypto scam site coinbase-x2[.]net, which snares unwary investors with promises of free money.

Typical of crypto scam sites, Coinbase-x2 promises a chance to win 50,000 ETH (Ethereum virtual currency), plus a “welcome bonus” wherein they promise to double any crypto investment made with the platform. But everyone who falls for this greed trap soon discovers they won’t be getting anything in return, and that their “investment” is gone forever.

There isn’t a lot of information about who bought these crypto scam domains, as most of them were registered in the past month at registrars that automatically redact the site’s WHOIS ownership records.

However, several dozen of the domains are in the .us domain space, which is technically supposed to be reserved for entities physically based in the United States. Those Dot-us domains all contain the registrant name Sergei Orlovets from Moscow, the email address ulaninkirill52@gmail.com, and the phone number +7.9914500893. Unfortunately, each of these clues lead to a dead end, meaning they were likely picked and used solely for these scam sites.

A dig into the Domain Name Server (DNS) records for Coinbase-x2[.]net shows it is hosted at a service called Cryptohost[.]to. Cryptohost also controls several other address ranges, including 194.31.98.X, which is currently home to even more crypto scam websites, many targeting lesser-known cryptocurrencies like Polkadot.

An ad posted to the Russian-language hacking forum BHF last month touted Cryptohost as a “bulletproof hosting provider for all your projects,” i.e., it can be relied upon to ignore abuse complaints about its customers.

“Why choose us? We don’t keep your logs!,” someone claiming to represent Cryptohost wrote to denizens of BHF.

Cryptohost says its service is backstopped by DDoS-Guard, a Russian company that has featured here recently for providing services to the sanctioned terrorist group Hamas and to the conspiracy theory groups QAnon/8chan.

A scam site at Cryptohost targeting Polkadot cryptocurrency holders.

Cryptohost did not respond to requests for comment. Continue reading

Actions Target Russian Govt. Botnet, Hydra Dark Market

April 7, 2022

The U.S. Federal Bureau of Investigation (FBI) says it has disrupted a giant botnet built and operated by a Russian government intelligence unit known for launching destructive cyberattacks against energy infrastructure in the United States and Ukraine. Separately, law enforcement agencies in the U.S. and Germany moved to decapitate “Hydra,” a billion-dollar Russian darknet drug bazaar that also helped to launder the profits of multiple Russian ransomware groups.

FBI officials said Wednesday they disrupted “Cyclops Blink,” a collection of compromised networking devices managed by hackers working with the Russian Federation’s Main Intelligence Directorate (GRU).

A statement from the U.S. Department of Justice (DOJ) says the GRU’s hackers built Cyclops Blink by exploiting previously undocumented security weaknesses in firewalls and routers made by both ASUS and WatchGuard Technologies. The DOJ said it did not seek to disinfect compromised devices; instead, it obtained court orders to remove the Cyclops Blink malware from its “command and control” servers — the hidden machines that allowed the attackers to orchestrate the activities of the botnet.

The FBI and other agencies warned in March that the Cyclops Blink malware was built to replace a threat called “VPNFilter,” an earlier malware platform that targeted vulnerabilities in a number of consumer-grade wireless and wired routers. In May 2018, the FBI executed a similar strategy to dismantle VPNFilter, which had spread to more than a half-million consumer devices.

On April 1, ASUS released updates to fix the security vulnerability in a range of its Wi-Fi routers. Meanwhile, WatchGuard appears to have silently fixed its vulnerability in an update shipped almost a year ago, according to Dan Goodin at Ars Technica. Continue reading

The Original APT: Advanced Persistent Teenagers

April 6, 2022

Many organizations are already struggling to combat cybersecurity threats from ransomware purveyors and state-sponsored hacking groups, both of which tend to take days or weeks to pivot from an opportunistic malware infection to a full blown data breach. But few organizations have a playbook for responding to the kinds of virtual “smash and grab” attacks we’ve seen recently from LAPSUS$, a juvenile data extortion group whose short-lived, low-tech and remarkably effective tactics have put some of the world’s biggest corporations on edge.

Since surfacing in late 2021, LAPSUS$ has gained access to the networks or contractors for some of the world’s largest technology companies, including Microsoft, NVIDIA, Okta and Samsung. LAPSUS$ typically threatens to release sensitive data unless paid a ransom, but with most victims the hackers ended up publishing any information they stole (mainly computer source code).

Microsoft blogged about its attack at the hands of LAPSUS$, and about the group targeting its customers. It found LAPSUS$ used a variety of old-fashioned techniques that seldom show up in any corporate breach post-mortems, such as:

-targeting employees at their personal email addresses and phone numbers;
-offering to pay $20,000 a week to employees who give up remote access credentials;
-social engineering help desk and customer support employees at targeted companies;
-bribing/tricking employees at mobile phone stores to hijack a target’s phone number;
-intruding on their victims’ crisis communications calls post-breach.

If these tactics sound like something you might sooner expect from spooky, state-sponsored “Advanced Persistent Threat” or APT groups, consider that the core LAPSUS$ members are thought to range in age from 15 to 21. Also, LAPSUS$ operates on a shoestring budget and is anything but stealthy: According to Microsoft, LAPSUS$ doesn’t seem to cover its tracks or hide its activity. In fact, the group often announces its hacks on social media.

ADVANCED PERSISTENT TEENAGERS

This unusual combination makes LAPSUS$ something of an aberration that is probably more aptly referred to as “Advanced Persistent Teenagers,” said one CXO at a large organization that recently had a run-in with LAPSUS$.

“There is a lot of speculation about how good they are, tactics et cetera, but I think it’s more than that,” said the CXO, who spoke about the incident on condition of anonymity. “They put together an approach that industry thought suboptimal and unlikely. So it’s their golden hour.”

LAPSUS$ seems to have conjured some worst-case scenarios in the minds of many security experts, who worry what will happen when more organized cybercriminal groups start adopting these techniques.

“LAPSUS$ has shown that with only $25,000, a group of teenagers could get into organizations with mature cybersecurity practices,” said Amit Yoran, CEO of security firm Tenable and a former federal cybersecurity czar, testifying last week before the House Homeland Security Committee. “With much deeper pockets, focus, and mission, targeting critical infrastructure. That should be a sobering, if not terrifying, call to action.”

My CXO source said LAPSUS$ succeeds because they simply refuse to give up, and just keep trying until someone lets them in.

“They would just keep jamming a few individuals to get [remote] access, read some onboarding documents, enroll a new 2FA [two-factor authentication method] and exfiltrate code or secrets, like a smash-and-grab,” the CXO said. “These guys were not leet, just damn persistent.” Continue reading

Fake Emergency Search Warrants Draw Scrutiny from Capitol Hill

March 31, 2022

On Tuesday, KrebsOnSecurity warned that hackers increasingly are using compromised government and police department email accounts to obtain sensitive customer data from mobile providers, ISPs and social media companies. Today, one of the U.S. Senate’s most tech-savvy lawmakers said he was troubled by the report and is now asking technology companies and federal agencies for information about the frequency of such schemes.

At issue are forged “emergency data requests,” (EDRs) sent through hacked police or government agency email accounts. Tech companies usually require a search warrant or subpoena before providing customer or user data, but any police jurisdiction can use an EDR to request immediate access to data without a warrant, provided the law enforcement entity attests that the request is related to an urgent matter of life and death.

As Tuesday’s story showed, hackers have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate. After all, there are roughly 18,000 distinct police organizations in the United States alone, and many thousands of government and police agencies worldwide.

Criminal hackers exploiting that ambiguity are enjoying remarkable success rates gaining access to the data they’re after, and some are now selling EDRs as a service to other crooks online.

This week’s piece included confirmation from social media platform Discord about a fraudulent EDR they recently processed. On Wednesday, Bloomberg published a story confirming that both Apple and Meta/Facebook have recently complied with fake EDRs.

Today, KrebsOnSecurity heard from Sen. Ron Wyden (D-Ore.), who said he was moved to action after reading this week’s coverage.

“Recent news reports have revealed an enormous threat to Americans’ safety and national security,” Wyden said in a statement provided to KrebsOnSecurity. “I’m particularly troubled by the prospect that forged emergency orders may be coming from compromised foreign law enforcement agencies, and then used to target vulnerable individuals.”

“I’m requesting information from tech companies and multiple federal agencies to learn more about how emergency data requests are being abused by hackers,” Wyden’s statement continues. “No one wants tech companies to refuse legitimate emergency requests when someone’s safety is at stake, but the current system has clear weaknesses that need to be addressed. Fraudulent government requests are a significant concern, which is why I’ve already authored legislation to stamp out forged warrants and subpoenas.” Continue reading

Hackers Gaining Power of Subpoena Via Fake “Emergency Data Requests”

March 29, 2022

There is a terrifying and highly effective “method” that criminal hackers are now using to harvest sensitive customer data from Internet service providers, phone companies and social media firms. It involves compromising email accounts and websites tied to police departments and government agencies, and then sending unauthorized demands for subscriber data while claiming the information being requested can’t wait for a court order because it relates to an urgent matter of life and death.

In the United States, when federal, state or local law enforcement agencies wish to obtain information about who owns an account at a social media firm, or what Internet addresses a specific cell phone account has used in the past, they must submit an official court-ordered warrant or subpoena.

Virtually all major technology companies serving large numbers of users online have departments that routinely review and process such requests, which are typically granted as long as the proper documents are provided and the request appears to come from an email address connected to an actual police department domain name.

But in certain circumstances — such as a case involving imminent harm or death — an investigating authority may make what’s known as an Emergency Data Request (EDR), which largely bypasses any official review and does not require the requestor to supply any court-approved documents.

It is now clear that some hackers have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate. Using their illicit access to police email systems, the hackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately.

In this scenario, the receiving company finds itself caught between two unsavory outcomes: Failing to immediately comply with an EDR — and potentially having someone’s blood on their hands — or possibly leaking a customer record to the wrong person.

“We have a legal process to compel production of documents, and we have a streamlined legal process for police to get information from ISPs and other providers,” said Mark Rasch, a former prosecutor with the U.S. Department of Justice.

“And then we have this emergency process, almost like you see on [the television series] Law & Order, where they say they need certain information immediately,” Rasch continued. “Providers have a streamlined process where they publish the fax or contact information for police to get emergency access to data. But there’s no real mechanism defined by most Internet service providers or tech companies to test the validity of a search warrant or subpoena. And so as long as it looks right, they’ll comply.”

To make matters more complicated, there are tens of thousands of police jurisdictions around the world — including roughly 18,000 in the United States alone — and all it takes for hackers to succeed is illicit access to a single police email account.

THE LAPSUS$ CONNECTION

The reality that teenagers are now impersonating law enforcement agencies to subpoena privileged data on their targets at whim is evident in the dramatic backstory behind LAPSUS$, the data extortion group that recently hacked into some of the world’s most valuable technology companies, including Microsoft, Okta, NVIDIA and Vodafone.

In a blog post about their recent hack, Microsoft said LAPSUS$ succeeded against its targets through a combination of low-tech attacks, mostly involving old-fashioned social engineering — such as bribing employees at or contractors for the target organization.

“Other tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multi-factor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets,” Microsoft wrote of LAPSUS$.

The roster of the now-defunct “Infinity Recursion” hacking team, from which some members of LAPSUS$ allegedly hail.

Researchers from security firms Unit 221B and Palo Alto Networks say that prior to launching LAPSUS$, the group’s leader “White” (a.k.a. “WhiteDoxbin,” “Oklaqq”) was a founding member of a cybercriminal group calling itself the “Recursion Team.” This group specialized in SIM swapping targets of interest and participating in “swatting” attacks, wherein fake bomb threats, hostage situations and other violent scenarios are phoned in to police as part of a scheme to trick them into visiting potentially deadly force on a target’s address.

The founder of the Recursion Team was a then 14-year-old from the United Kingdom who used the handle “Everlynn.” On April 5, 2021, Everlynn posted a new sales thread to the cybercrime forum cracked[.]to titled, “Warrant/subpoena service (get law enforcement data from any service).” The price: $100 to $250 per request.

Everlynn advertising a warrant/subpoena service based on fake EDRs. Image: Ke-la.com.

“Services [include] Apple, Snapchat, Google (more expensive), not doing Discord, basically any site mostly,” read Everlynn’s ad, which was posted by the user account “InfinityRecursion.”

A month prior on Cracked, Everlynn posted a sales thread, “1x Government Email Account || BECOME A FED!,” which advertised the ability to send email from a federal agency within the government of Argentina.

“I would like to sell a government email that can be used for subpoena for many companies such as Apple, Uber, Instagram, etc.,” Everlynn’s sales thread explained, setting the price at $150. “You can breach users and get private images from people on SnapChat like nudes, go hack your girlfriend or something haha. You won’t get the login for the account, but you’ll basically obtain everything in the account if you play your cards right. I am not legally responsible if you mishandle this. This is very illegal and you will get raided if you don’t use a vpn. You can also breach into the government systems for this, and find LOTS of more private data and sell it for way, way more.”

Last week, the BBC reported that authorities in the United Kingdom had detained seven individuals aged 16 to 21 in connection with LAPSUS$. Continue reading

Estonian Tied to 13 Ransomware Attacks Gets 66 Months in Prison

March 25, 2022

An Estonian man was sentenced today to more than five years in a U.S. prison for his role in at least 13 ransomware attacks that caused losses of approximately $53 million. Prosecutors say the accused also enjoyed a lengthy career of “cashing out” access to hacked bank accounts worldwide.

Maksim Berezan, 37, is an Estonian national who was arrested nearly two years ago in Latvia. U.S. authorities alleged Berezan was a longtime member of DirectConnection, a closely-guarded Russian cybercriminal forum that existed until 2015. Berezan’s indictment (PDF) says he used his status at DirectConnection to secure cashout jobs from other vetted crooks on the exclusive crime forum.

Berezan specialized in cashouts and “drops.” Cashouts refer to using stolen payment card data to make fraudulent purchases or to withdraw money from bank accounts without authorization. A drop is a location or individual able to securely receive and forward funds or goods obtained through cashouts or other types of fraud. Drops typically are used to make it harder for law enforcement to trace fraudulent transactions and to circumvent fraud detection measures used by banks and credit card companies.

Acting on information from U.S. authorities, in November 2020 Latvian police searched Berezan’s residence there and found a red Porsche Carrera 911, a black Porsche Cayenne, a Ducati motorcycle, and an assortment of jewelry. They also seized $200,000 in currency, and $1.7 million in bitcoin.

After Berezan was extradited to the United States in December 2020, investigators searching his electronic devices said they found “significant evidence of his involvement in ransomware activity.”

“The post-extradition investigation determined that Berezan had participated in at least 13 ransomware attacks, 7 of which were against U.S. victims, and that approximately $11 million in ransom payments flowed into cryptocurrency wallets that he controlled,” reads a statement from the U.S. Department of Justice.

Berezan pleaded guilty in April 2021 to conspiracy to commit wire fraud. Continue reading

A Closer Look at the LAPSUS$ Data Extortion Group

March 23, 2022

Microsoft and identity management platform Okta both this week disclosed breaches involving LAPSUS$, a relatively new cybercrime group that specializes in stealing data from big companies and threatening to publish it unless a ransom demand is paid. Here’s a closer look at LAPSUS$, and some of the low-tech but high-impact methods the group uses to gain access to targeted organizations.

First surfacing in December 2021 with an extortion demand on Brazil’s Ministry of Health, LAPSUS$ made headlines more recently for posting screenshots of internal tools tied to a number of major corporations, including NVIDIA, Samsung, and Vodafone.

On Tuesday, LAPSUS$ announced via its Telegram channel it was releasing source code stolen from Microsoft. In a blog post published Mar. 22, Microsoft said it interrupted the LAPSUS$ group’s source code download before it could finish, and that it was able to do so because LAPSUS$ publicly discussed their illicit access on their Telegram channel before the download could complete.

One of the LAPSUS$ group members admitted on their Telegram channel that the Microsoft source code download had been interrupted.

“This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact,” Microsoft wrote. “No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.”

While it may be tempting to dismiss LAPSUS$ as an immature and fame-seeking group, their tactics should make anyone in charge of corporate security sit up and take notice. Microsoft says LAPSUS$ — which it boringly calls “DEV-0537” — mostly gains illicit access to targets via “social engineering.” This involves bribing or tricking employees at the target organization or at its myriad partners, such as customer support call centers and help desks.

“Microsoft found instances where the group successfully gained access to target organizations through recruited employees (or employees of their suppliers or business partners),” Microsoft wrote. The post continues:

“DEV-0537 advertised that they wanted to buy credentials for their targets to entice employees or contractors to take part in its operation. For a fee, the willing accomplice must provide their credentials and approve the MFA prompt or have the user install AnyDesk or other remote management software on a corporate workstation allowing the actor to take control of an authenticated system. Such a tactic was just one of the ways DEV-0537 took advantage of the security access and business relationships their target organizations have with their service providers and supply chains.”

The LAPSUS$ Telegram channel has grown to more than 45,000 subscribers, and Microsoft points to an ad LAPSUS$ posted there offering to recruit insiders at major mobile phone providers, large software and gaming companies, hosting firms and call centers.

Sources tell KrebsOnSecurity that LAPSUS$ has been recruiting insiders via multiple social media platforms since at least November 2021. One of the core LAPSUS$ members who used the nicknames “Oklaqq” and “WhiteDoxbin” posted recruitment messages to Reddit last year, offering employees at AT&T, T-Mobile and Verizon up to $20,000 a week to perform “inside jobs.”

LAPSUS$ leader Oklaqq a.k.a. “WhiteDoxbin” offering to pay $20,000 a week to corrupt employees at major mobile providers.

Many of LAPSUS$’s recruitment ads are written in both English and Portuguese. According to cyber intelligence firm Flashpoint, the bulk of the group’s victims (15 of them) have been in Latin America and Portugal.

“LAPSUS$ currently does not operate a clearnet or darknet leak site or traditional social media accounts—it operates solely via Telegram and email,” Flashpoint wrote in an analysis of the group. “LAPSUS$ appears to be highly sophisticated, carrying out increasingly high-profile data breaches. The group has claimed it is not state-sponsored. The individuals behind the group are likely experienced and have demonstrated in-depth technical knowledge and abilities.”

Microsoft said LAPSUS$ has been known to target the personal email accounts of employees at organizations they wish to hack, knowing that most employees these days use some sort of VPN to remotely access their employer’s network.

“In some cases, [LAPSUS$] first targeted and compromised an individual’s personal or private (non-work-related) accounts giving them access to then look for additional credentials that could be used to gain access to corporate systems,” Microsoft wrote. “Given that employees typically use these personal accounts or numbers as their second-factor authentication or password recovery, the group would often use this access to reset passwords and complete account recovery actions.”

In other cases, Microsoft said, LAPSUS$ has been seen calling a target organization’s help desk and attempting to convince support personnel to reset a privileged account’s credentials.

“The group used the previously gathered information (for example, profile pictures) and had a native-English-sounding caller speak with the help desk personnel to enhance their social engineering lure,” Microsoft explained. “Observed actions have included DEV-0537 answering common recovery prompts such as “first street you lived on” or “mother’s maiden name” to convince help desk personnel of authenticity. Since many organizations outsource their help desk support, this tactic attempts to exploit those supply chain relationships, especially where organizations give their help desk personnel the ability to elevate privileges.”

LAPSUS$ recruiting insiders via its Telegram channel.

Continue reading