Security expert reveals social engineering techniques used
A hacking gang known for extortion of telco subscribers is now moving on to stealing source code, with US operator T-Mobile its first target. The UK-based Lapsus$ extortion gang gained access to DT-owned T-Mobile’s network on Friday according to news site Security Affairs. Security investigator Brian Krebs raised the alarm after he reviewed a copy of the private chat messages between members of the cybercrime group. Krebs found chats on the group’s Telegram chat channels that were restricted to the core seven members of the group, said KrebsonSecurity. The logs show the Lapsus$ group frequently had access to the T-Mobile network in March and the hackers claim to have stolen source code for multiple company projects.
Krebs on the case
According to Krebs, Lapsus$ is known for stealing data and then demanding a ransom not to publish or sell it. But, he said, these particular conversations indicate cash is of little interest to the teenage leader of Lapsus$. Her or his new obsession is with stealing and leaking proprietary computer source code from the world’s largest tech companies. In the latest breach in March, the virtual private network (VPN) credentials for initial access were obtained, from illicit websites like Russian Market, with the goal of gaining control of T-Mobile employee accounts. This would allow the threat actor to carry out SIM swapping attacks at will.
Persona non grata
The new priority is mentioned in a chat titled Lapsus Jobs is ‘Device enrollment’ (sic). This involves social engineering, getting staff at the target firm to add one of their computers or mobiles to the list of devices allowed to authenticate with the company’s virtual private network (VPN).” wrote Krebs. “The messages show LAPSUS$ members continuously targeted T-Mobile employees, whose access to internal company tools could give them everything they needed to conduct hassle-free SIM swaps – reassigning a target’s mobile phone number to a device they controlled. Other members of the gang’s chat had wanted concentrate on extortion through SIM swaps but the gang leader seemed more interested in stealing source code from the telco, according to Krebs’ interpretation of the chat room conversation.
Everything is not what it SIMs
T-Mobile has said no customer or government information was compromised. However, screen shot images on the chats suggest that the gang got into the internal Atlas system, along with access to Slack and Bitbucket accounts, which presumably revealed internal conversations among T-Mobile employees. “Roughly 12 hours later, White posts a screenshot in their private chat showing his automated script had downloaded more than 30,000 source code repositories from T-Mobile,” said Krebs. “The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value,” T-Mobile said. “Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete.”
Lapsus$ in concentration
Previously, the Lapsus$ gang has compromised NVIDIA, Samsung, Ubisoft, Mercado Libre, Vodafone, Microsoft, Okta and Globant, Security Affairs has revealed. In April City of London Police charged two of the seven teenagers who were arrested for their alleged role in the Lapsus$ data extortion gang. UK police suspect that a 16-year-old from Oxford is one of the leaders of the popular Lapsus$ group.