Tuesday 20th September 2022

BLOG: Who Are Lapsus$ Group?

After disappearing in March, Lapsus$ group has made its way back into headlines through its recent attack on Uber. The hacking group gained access to several internal Uber systems after stealing a third-party contractor’s credentials and then convincing the contractor to approve a two-factor authentication request.

Uber said it does not appear they infiltrated any public-facing systems, user accounts, or databases that store sensitive user information like credit card numbers. Additionally, Uber said it doesn’t appear that the attackers accessed any customer or user data stored by its cloud providers. 

The hackers did download some internal messages and information from an internal finance team. They also accessed Uber’s dashboard at HackerOne, where security researchers report bugs and vulnerabilities. However, Uber stated that any bug reports the attacker was able to access have been remediated. The company said it’s “likely” that the Lapsus$ hacker obtained the contractor’s Uber corporate password by purchasing it on the dark web after the contractor’s device had been infected with malware.

Subsequently, the hacker allegedly then was repeatedly tried to log in to the contractor’s Uber account but was thwarted by a two-factor login approval request. Nevertheless, the contractor eventually accepted one of those requests, which allowed the hacker to obtain elevated permissions to several internal tools, including G-Suite and Slack.

Who are Lapsus$?

The Lapsus$ hacking group first made its debut to the public in December 2021 when it pursued a damaging ransomware attack against the Brazilian Ministry of Health, compromising the COVID-19 vaccination data of millions within the country. There is not much known about the Lapsus$ group, other than that it is believed that the group operates out of South America and hacks into the networks of large organizations to steal data and extort payments.

The Lapsus$ Group’s behavior early in the year was just a small snippet for the group perhaps a taste of things to come. Since its first publicized attacks it has targeted several high-profile technology companies, stealing data from Nvidia, Samsung, Microsoft, and Vodafone. Lapsus$ also managed to disrupt some of Ubisoft’s services and gained access to an Okta contractor’s laptop, putting the data of thousands of companies that use the service at risk. It’s also suspected to be behind last year’s attack on EA Games.

Shortly after the attack on Okta, a report pinned an England-based teenager as the mastermind behind the hacking group and said another teen member may reside in Brazil. One member of the group is reportedly so skilled at hacking that researchers thought their work was automated. On March 24th, 2022, the London police made seven arrests in connection with the Lapsus$ group, all of whom are between the ages of 16 and 21. After March, Lapsus$ went silent for several months and has remerged with another string of high-profile attacks on companies.

Expert cybersecurity analysts, currently believe that the Lapsus$ Group started the ransomware attack using a phishing email. Phishing is an easy way into corporate networks, with a single download or a click to a website with the entry of login credentials, hackers can begin to infiltrate a network, escalating privileges to the point where they control administration-level accounts.

It’s believed that 96% of phishing attacks arrive by email. Another 3% are carried out through malicious websites and just 1% via phone. This account access is exploited by Lapsus$ in the form of blatant displays of their control by hacking Twitter and other social media accounts. It is highly likely that this level of showmanship will be lauded by the hackers’ contemporaries and may become part of an ongoing attack profile.

While it may be tempting to write off the LAPSUS$ group as an immature and fame-seeking group, their tactics should make any organization take notice. Microsoft says LAPSUS$ mostly gains illicit access to targets via “social engineering.” This involves bribing or tricking employees at the target organization or its myriad partners, such as customer support call centers and help desks.

Contrasting to other ransomware gangs, which typically use dark web websites to publish stolen data, Lapsus$ uses a Telegram channel to share information about its cyber-attacks and information stolen from its victims directly with anyone who is subscribed to it. The LAPSUS$ Telegram channel has grown to more than 45,000 subscribers, and Microsoft points to an ad LAPSUS$ posted there offering to recruit insiders at major mobile phone providers, large software and gaming companies, hosting firms, and call centers.

It has been reported that since November 2021 LAPSUS$ group has been recruiting insiders via multiple social media platforms. Reddit seemed to be one of the main platforms the group would target as one of the main LAPSUS$ members who went by the alias “Oklaqq” and “WhiteDoxbin” posted recruitment messages to Reddit last year, offering employees at AT&T, T-Mobile, and Verizon up to $20,000 a week to perform “inside jobs.” Many of LAPSUS$’s recruitment ads are written in both English and Portuguese.

While Lapsus$ differ from many ransomware groups, their tactics in regards to conducting attacks, appear to be the same as many other cyber-criminal operations, exploiting public-facing remote desktop protocol (RDP) capabilities and deploying phishing emails to gain access to accounts and networks. The group also buys stolen credentials from underground forums and searches public dumps of usernames and passwords for credentials that can be exploited to gain access to accounts.

Upon emerging, as we discussed earlier it was found that Lapsus$ was behind the attack on Uber. On September 15th, a hacker announced on Uber’s private Slack channel that he had breached the company. One security engineer described it to the New York Times as “a total compromise”, and stated that “They pretty much have full access to Uber.” Uber’s source code, internal databases, communication channels, and more were all compromised in the breach. The hacker, who uses the alias ‘teapotuberhacker,’ was able to successfully get past security controls.

Days later On September 18, the same hacker under the alias ‘teapotuberhacker’ leaked roughly 50 minutes of footage of Grand Theft Auto 6, an upcoming game produced by Rockstar Games. They obtained the footage by gaining access to the company’s Slack, where they proceeded to download the video clips. Rockstar acknowledged the leak in a statement released on Twitter.

It’s unlikely the attacks will suddenly stop, but there are steps organizations and businesses can take to help avoid falling victim to cyberattacks by Lapsus$ or other criminal hacking groups. To understand how Orpheus Cyber can help by requesting a demo, click here.

To find out more about other Ransomware groups, download our free Ransomware handbook here.

Get our latest cyber intelligence insights straight into your inbox

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.