Although some alleged Lapsus$ hackers were arrested in March 2022, the hacker group continues to target and attack high-profile victims.
Here's a regularly updated list of alleged Lapsus$ cyberattack targets, the associated fallout, and steps that MSSPs can take to protect customers from such attacks.
- Globant: Digital transformation developer Globant confirmed that Lapsus$ had stolen source code developed for its clients. Source: SC Media, March 30, 2022.
- Microsoft Azure: Lapsus$ claims to have leaked the source code for Bing, Cortana, and other projects stolen from Microsoft's internal Azure DevOps server. Microsoft later confirmed a hack by Lapsus$. Sources: BleepingComputer and Microsoft, March 22, 2022.
- Nvidia: A cyberattack targeting Nvidia allegedly involved the Lapsus$ ransomware gang. Attackers have since leaked some Nvidia company information online, but the cyberattack did not impact the company’s operations and there’s no evidence that ransomware was deployed on Nvidia’s network, the chip maker has stated. Source: MSSP Alert, March 1, 2022.
- Okta: The identity and access management (IAM) software company is investigating an alleged data breach that may have been launched by Lapsus$. In a tweet, Okta CEO Todd McKinnon said their was no evidence of malicious activity beyond some activity detected in January 2022. Still, some observes expressed concern that Okta partners and customers could potentially suffer from a supply chain attack. Source: MSSP Alert, March 22, 2022.
- Samsung: The mobile device giant confirmed a rumored data breach in which hackers stole some Galaxy device source code. Still, Samsung stopped short of blaming the alleged culprit -- Lapsus$ -- for the breach. Source: MSSP Alert, March 7, 2022.
- T-Mobile: Lapsus$ breached T-Mobile multiple times in March 2022, stealing source code for a range of company projects. T-Mobile says no customer or government information was stolen in the intrusion. Source: KrebsOnSecurity, April 22, 2022.
Lapsus$ surfaced in December 2021 and the group may be led by one or more teenagers, Bloomberg reports. The group's tactics differs from other threat groups’ in that Lapsus$ "eschews the typical exfiltrate-encrypt-extort playbook, instead concentrating on the data theft and extortion, and the gang has a flair for the dramatic in its demands," The CyberWire reports.
How to Protect Against Lapsus$ Ransomware Attacks
The FBI’s general guidance vs. ransomware attacks includes these 10 recommendations:
- Back-up critical data offline.
- Ensure copies of critical data are in the cloud or on an external hard drive or storage device. This information should not be accessible from the compromised network.
- Secure back-ups and ensure data is not accessible for modification or deletion from the system where the data resides.
- Use multi-factor authentication with strong passwords, including for remote access services.
- Keep computers, devices and applications patched and up-to-date.
- Monitor cyber threat reporting regarding the publication of compromised VPN login credentials and change passwords and settings.
- Consider adding an email banner to emails received from outside your organization.
- Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
- Implement network segmentation.
How MSPs and MSSPs Can Respond to and Recover From Ransomware Attacks
If a ransomware incident occurs, then the CISA, FBI and NSA recommend the following four actions:
- Follow the Ransomware Response Checklist on p. 11 of the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
- Scan your backups. If possible, scan your backup data with an antivirus program to check that it is free of malware.
- Report incidents immediately to CISA at https://us-cert.cisa.gov/report, a local FBI Field Office, or U.S. Secret Service Field Office.
- Apply incident response best practices found in the joint Advisory, Technical Approaches to Uncovering and Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.