Leaked chats between Lapsus$ hackers revealed that the gang repeatedly breached T-Mobile in March and copied thousands of source code repositories.
The chats came from the hacking group’s private Telegram channel.
Unlike their public Telegram channel with over 40,000 subscribers, the private group is exclusive to seven core members.
A career cybercriminal and owner of the DoxBin doxxing website “KT” leaked the discussions to KrebsOnSecurity researcher Brian Krebs.
Chats revealed the group was plotting another heist before authorities arrested seven alleged Lapsus$ members, aged 15 to 21, and two unnamed suspects, ages 16 and 17, face multiple related charges. to unauthorized access.
The Lapsus$ extortion group operates by stealing it and threatening to publish it, usually without encrypting the victim’s devices.
Lapsus$ hackers frequently bought access credentials from Russian underground markets
Krebs says the Lapsus$ hackers purchased stolen credentials from the Russian market which regularly stored such information.
Each time T-Mobile employees inadvertently disrupted Lapsus$ hackers by changing passwords, threat actors obtained another set of credentials from Russian underground markets.
“You usually can’t completely prevent adversaries from entering your network – especially if they’re buying stolen credentials from Russian cybercrime forums, as the Lapsus$ gang is doing – so the best strategy is to deploy surveillance with the right detection rules in your SOC so you can quickly contain attacks before they have a major business impact,” said Phil Neray, vice president of cyber defense strategy at CardinalOps.
Lapsus$ hackers also stole credentials by luring employees into divulging those details and authorizing or enrolling devices on the company’s virtual private network.
“When it comes to internal breaches where networks are compromised, identity remains the number one challenge,” said Gal Helemski, CTO and co-founder of PlainID. “Organizations should take a ‘Zero Trust’ approach, which means not trusting anyone – not even known users or devices – until they have been verified and validated.”
According to leaked discussions, the Lapsus$ hackers gained access to internal tools, including T-Mobile’s Atlas customer account management systems. This access allowed hackers to trade SIM cards and steal victims’ mobile phone numbers for fraud and two-factor authentication purposes.
The Lapsus$ hackers intended to exchange SIM cards for money with wealthy customers. Additionally, a gang member identified as White targeted the FBI and Department of Defense.
However, the government accounts required additional permissions, and other members advised him against it to preserve their access.
Lapsus$ hackers compromised Slack and T-Mobile’s BitBucket and downloaded source code repositories
Hacker Lapsus$ White informed others that he successfully breached T-Mobile’s Slack and Bitbucket. In addition, he would have discovered how to download scripts to the company’s virtual machine. In 12 hours, White reported downloading 30,000 source code repositories from T-Mobile.
However, T-Mobile played down the incident, saying the Lapsus$ hackers didn’t have access to “anything of value.”
“Several weeks ago, our monitoring tools detected a malicious actor using stolen credentials to gain access to internal systems that host operational tools software,” T-Mobile said.
According to the company, “the system accessed did not contain any customer or government information or other similar sensitive information.”
T-Mobile added that its response team quickly contained the intrusion and expelled unauthorized parts from the system.
“Our systems and processes functioned as intended, the intrusion was quickly stopped and closed, and the compromised credentials used became obsolete.”
“T-Mobile’s confirmation that the Lapsus dollar extortion gang breached its network shows how cyberattacks have become more damaging and complex as extortion attempts grow in popularity,” said Arti Raman, CEO and Founder of Titaniam. “This underscores the importance of technologies such as encryption-in-use (also known as data-in-use encryption) that specifically protect against data extortion.”
Krebs noted that Lapsus$ hackers attempted to steal and delete any source code they had access to on compromised systems. He suggested that the source code helped the group discover more vulnerabilities, or that there was a high demand for leaked source code in underground markets.
“Knowing how vulnerable you are to ransomware attacks, as well as reviewing your security posture through ongoing vulnerability management and proactive penetration testing, is crucial to establishing better defenses as hacker organizations such as Lapsus$ continue to grow. – Aaron Sandeen, CEO and Co-Founder, Cyber Security Works.
In four years, Lapsus$ has carried out at least ten data breaches, stealing source code from Nvidia (1 terabyte), Samsung (200 GB including internal data), Globant (70 GB) and Microsoft (37 GB). Other victims of Lapsus$ include Vodafone, Impresa, Okta, Ubisoft and the Brazilian Ministry of Health.
“Recent attacks and extortion attempts against large corporations are clear examples of the damage that can be done when compromised credentials are used to carry out account takeover (ATO) attacks,” Gunnar said. Peterson, CISO at Forter. “The Lapsus$ ransomware group conducts all of its ATO activities using stolen usernames and passwords that were obtained through unconventional and sophisticated means.”
Peterson advised organizations to invest in building learning systems that scale and track attacker tactics.
“Because Lapsus$ is clearly capable of breaking perimeter security measures, enterprises must focus on detection and response to minimize damage from infiltration. It is important to invest in solutions that establish a baseline of user and entity behavior and are able to flag potentially malicious or suspicious activity as it occurs,” said Tyler Farrar, CISO at Exabeam .