March 23, 2022 3:52:47 pm
‘Lapsus$’, a cyber hacking group, based in South America is in the spotlight after a spate of attacks against companies such as Okta, NVIDIA, and even Samsung. Now, the ransomware group is claiming another international company among its victims list— this time its Microsoft.
What makes Lapsus$ interesting that it is using a wide-variety of tactics to steal personnel information to gain access to privileged information and in some cases is accessing source code for products. According to Venafi cyber security firm, having possession and control over such source codes “could create a massive supply chain reaction, which can lead to numerous organisations and machines being infected and harmed.” We take a look at all the tech companies targeted by Lapsus$ recently.
Microsoft is the latest company to be attacked by Lapsus$ hackers. The company confirmed that hackers compromised “a single account” and source code of several Microsoft products including Bing, Cortana, and more. “Our investigation has found a single account had been compromised, granting limited access,” Microsoft said.
The tech company has given the code name ‘DEV-0537’ to Lapsus$. According to Microsoft’s cybersecurity researchers, the hackers have been expanding the geographic range of its targets and are going after government organisations as well as the tech, telecom and health-care sectors.
Best of Express Premium
“Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity. Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk,” the company added in a blog post.
Microsoft says that accessing source code is a not problem for them. The company says it is continuing investigating in to the breach and has been tracking the group’s activities for some time now.
In the case of Nvidia, the attackers stole credentials of more than 71,000 Nvidia employees along with the source code of Nvidia’s DLSS (Deep Learning Super Sampling) AI rendering technology and information about six supposed unannounced GPUs.
The hackers demanded Nvidia to remove its lite hash rate (LHR) feature. For the uninitiated, LHR was introduced by the company to limit Ethereum mining capabilities, particularly in the Nvidia RTX 30 series GPU. This was done after the crypto mining community depleted the GPU stocks in 2021. The group is also asking Nvidia to open source its GPU drivers for macOS, Windows, and Linux devices.
Nvidia has acknowledged the attack saying that they became aware of a cyber security incident, which impacted the company’s IT resources.
Okta is a San-Francisco based company, which has also been targeted by Lapsus$, though the company initially claimed there was no breach. It should be noted that Okta provides authentication services to hundreds of companies including FedEx Corp, T-Mobile US Inc, Moody’s Corp, Cloudflare and Coinbase Global Inc. Okta claims that the “maximum
potential impact” was to 366 customers whose data was accessed by an outside contractor, Sitel. The contractor employed an engineer whose laptop the hackers attacked, according to the company.
Cloudflare CEO Matthew Prince in a tweet said that the company had reset the credentials of some employees “out of (an) abundance of caution” but had confirmed no compromise.
“The biggest concern is LAPSUS$’s claim that the group has breached Okta. In LAPSUS$’s statement, they claim to have access to an admin account which could allow them to reset any customer user account of their choosing. This could include resetting passwords, assigning temporary passwords, and resetting multifactor authentication. If true, the impact of this access could be devastating considering Okta has a customer base of more than 15,000 customers,” Douglas McKee, Principal Engineer at Trellix said in a statement.
LAPSUS$ has a strong reputation for successful breaches with the same pattern of stealing intellectual property such as source code.
“This morning, March 22nd LAPSUS$ stated that they have struck again and breached Okta, an Access Management provider. This is just days after they announced breaching Microsoft’s Azure DevOps portal and only two-hours after announcing their second compromise in a year of LG Electronics,” McKee added.
Samsung on Monday confirmed that it also observed a “security breach” which apparently “had occurred related to internal company data”— but said that customer and employee data were not impacted. The source code to the Galaxy devices was likely stolen by the hackers, according to some reports. Samsung however, claims no personal user and employee data was compromised.
According to Security Affairs, which also published a screen grab of the data leak, the hackers on a Telegram group said that hackers breached Samsung’s biometric authentication information and source code from both Samsung and one of its suppliers, Qualcomm.
On March 22, hackers also uploaded a file on Telegram group, claiming that it is the password hash value of LG Electronics’ employee and service accounts. Meanwhile, the company has not confirmed this attack so far. More details on this are awaited.
🗞 Subscribe Now: Get Express Premium to access our in-depth reporting, explainers and opinions 🗞️