LAPSUS$, the ransomware organisation best known for the recent Okta breach, has returned after what they call a "vacation," this time with a data breach affecting Globant, a significant software company situated in Luxembourg.
According to media sources, the organisation, which is mostly made up of teenagers from the United Kingdom, broadcasted the statement to their Telegram channel's 50,000 users. The group, which was previously known for stealing data from huge corporations and threatening to expose it if ransom demands were not satisfied, stole 70GB of data from Globant. Administrator credentials from the firm's Atlassian suite, including Confluence and Jira, as well as the Crucible code review tool, were among the stolen data.
Two forms of EDR and low-tech strategies
LAPSUS$ originally appeared in December 2021 and has since made headlines for hacking into other major corporations such as Samsung, Impresa, NVIDIA, Vodafone, and Ubisoft. Apple Inc. and Meta Platforms Inc., the parent company of Facebook, have now been identified as LAPSUS$ victims, since the firms were also duped into surrendering user data to the hackers. Security researcher Brian Krebs describes how LAPSUS$ is gaining access to targeted firms using "low-tech but high-impact approaches" in a lengthy blog post.
It entails the unauthorised use of emergency data requests (EDR). The perpetrators do this by compromising and gaining law enforcement personnel' credentials. Once they have these credentials, they can send unauthorised requests for subscriber data to phone companies, internet service providers, and social media sites, claiming that the information is urgent and related to a matter of life and death that cannot wait for a court order, bypassing the normal legal review process and causing the sensitive data to be released immediately.
"It's now evident that some hackers have found out that there's no quick and easy method for a corporation receiving one of these EDRs to tell whether it's real," adds Krebs.
"The hackers will deliver a false EDR coupled with an assertion that innocent people would likely suffer significantly or die unless the sought data is supplied promptly," according to the report.
Industry influencers are also raising concerns about the other sort of EDR: endpoint detection and response. LAPSUS$ penetrated Okta's network using the hacked laptop of a support engineer working for Sitel, a third-party customer care service, according to an analysis of the Okta breach. Remote desktop protocol (RDP) was used to get access, which is becoming a more prevalent method for thieves to gain access to computers. LAPSUS$ "used off-the-shelf technology from GitHub for the majority of their assaults," according to researcher Bill Demirkapi (@BillDemirkapi). LAPSUS$ just terminated the FireEye endpoint agent after downloading Process Explorer and Process Hacker."
Greg Linares, a security researcher who goes by the Twitter handle @Laughing Mantis, tweeted in with the following advice:
“#BlueTeams In light of LAPSUS$, I'll need you to stop what you're doing today and do this one homework project for me. What happens if your EDR on a client is abruptly terminated: - Is it possible to restart it? - Do you get any notifications? He tweeted, "Do you lock down the system and start IR?" "If your EDR client is terminated in its present configuration and you do not receive an alert, it does not attempt to restart automatically, and this does not result in a lockdown or IR response." "IT IS WRONGLY CONFIGURED."
The Okta compromise, according to security expert Joe Helle (@joehelle), shines a light on EDR technologies: "LAPSUS$ killed FireEye and installed Process Explorer and Process Hacker. I hope decision-makers are aware of this, and that the flashy EDR you just purchased isn't all you need to safeguard your surroundings." Teens in trouble Seven accused LAPSUS$ members between the ages of 16 and 21 were detained and released by the City of London Police in late March. The arrests, however, do not appear to have curtailed their activities, and sec experts warn that, despite their age, they should not be underestimated.
"LAPSUS$ is no joke," TrustedSec founder Dave Kennedy, also known as @HackingDave, tweeted. "Okta, Microsoft, LG, and others are among them. I'm seeing a lot of hit orgs, as well as ones that are fairly well advanced in terms of sec maturity. They're taking advantage of detection loopholes, EDRs, and more. It's crucial to have vision into the cloud and to know what to expect. "Be on the lookout." "It's easy to dismiss LAPSUS$ as a juvenile, fame-hungry act. That might be the case. "However, everyone in charge of security should be aware that this degree of social engineering to gain access is the new normal," said Brian Krebs (@briankrebs), a security author.
Jake Williams (@MalwareJake), a security researcher, agrees.
"I've witnessed some otherwise intelligent cybersecurity professionals disparage Lapsus$, saying things like 'they're simply a bunch of unorganised kids.'" Okay, but whomever they are, they're pretty dang good at what they do. It doesn't matter who they are if they're able to get beyond your security safeguards."
Linares predicts that their recent success will lead to much further expansion.
"It would be fascinating to see the most recent LAPSUS$ leaks and IOCs. Other members of the group, I'm presuming, are stepping up and joining this fresh rag tag LAPSUS$ group. It's a traditional recruitment approach to release data after a bust to prove an organisation is still functioning."