The Return of Lapsus$
On 19 September, Uber Technologies Inc. confirmed a security breach of its network and claimed the cybercrime group known as Lapsus$ is to blame. Interestingly, Lapsus$ went on quite a crime spree in the cyber world earlier this year before it was reported that some members of the group were arrested in London in April. They gained access to large tech corporations such as Nvidia, Microsoft, Okta, Samsung, and others. The group largely remained out of the news until last month when Cisco Systems Inc. confirmed a hack into their networks and pointed the finger at Lapsus$ and others for the breach. If confirmed, the access into both Uber and Cisco would add to a growing portfolio of high-profile companies Lapsus$ was able to gain access to in ways other cybercrime organizations only dream of. And most worrisome of all, the group uses relatively simple means of accessing the networks, showing large corporations the weakest link in cybersecurity is still the employee and not necessarily the technology. According to multiple open-source reports and Lapsus$’ Telegram channel, they have historically looked to recruit insiders within a company who could provide them access to a corporate network, and if that is not possible the group just looks for stolen credentials for sale on the dark web. The methods used in the Uber hack were no different.
For example, Uber reported on their website that Lapsus$ actors likely purchased stolen credentials on the dark web that belonged to an Uber EXT contractor who had access to the corporate network. Lapsus$ then used those credentials to login but were stopped by the two-factor authentication request, which sent a message to the contractor’s personal phone asking to confirm the login. When the contractor initially denied login approval, Lapsus$ continued the attempt and after several tries, access was finally approved. Two-factor authentication is developed to stop unauthorized logins and it is normally bypassed if the threat actor has access to the device or email address where the request is going to. However, in this case, the contractor still maintained access to the device and Lapsus$ was only successful because the contractor just got tired of the repeated messages requesting access and finally accepted one.
Lapsus$ is a cybersecurity nightmare for corporations. With millions of dollars spent on security controls, technology, and automation, companies are now realizing that their employees may be the weakest link. The bottom line is that spear phishing and social engineering are still very effective because those methods target individual users who may be having a bad day, may not care about security, or may not understand the severity of the threat. Proper cybersecurity training programs are vital along with random and continuous employee testing. Groups such as Lapsus$ will continue to have success until each employee is serious and educated about security.