Uber and Rockstar – has a LAPSUS$ linchpin just been busted (again)?

Credit to Author: Paul Ducklin| Date: Sat, 24 Sep 2022 22:57:38 +0000

The curious name LAPSUS$ made huge headlines in March 2022 as the nickname of a hacking gang, or, in unvarnished words, as the label for a notorious and active collective of cybercriminals:

The name was somewhat unusual for a cybercrime crew, who commonly adopt soubriquets that sound edgy and destructive, such as DEADBOLT, Satan, Darkside, and REvil.

As we mentioned back in March, however, lapsus is as good a modern Latin word as any for “data breach”, and the trailing dollar sign signifies both financial value and programming, being the traditional way of denoting that BASIC variable is a text string, not a number.

The gang, team, crew, posse, collective, gaggle, call it what you will, of attackers apparently presented a similar sort of ambiguity in their cybercriminality.

Sometimes, they seemed to show that they were serious about extorting money or ripping off cryptocurrency from their victims, but at but at other times they seemed simply to be showing off.

Microsoft admitted at the time that it had been infiltrated by LAPSUS$, though the software giant referred to the group as DEV-5037, with the criminals apparently stealing gigabytes of source code.

Okta, a 2FA service provider, was another high-profile victim, where the hackers acquired RDP access to an support techie’s computer, and were therefore able to access a wide range of Okta’s internal systems as if they were logged in directly to Okta’s own network.

That support techie didn’t work for Okta, but for a company contracted by Okta, so that the attackers were essentially able to breach Okta’s network without breaching Okta itself.

Intriguingly, even though Okta’s breach happened in January 2022, neither Okta nor its contractor made any public admission of the breach for about two months, while a forensic examination took place…

…until LAPSUS$ apparently decided to pre-empt any official announcement by dumping screenshots to “prove” the breach, ironically on the very same day that Okta received the final forensic report from the contractor (how, or if, LAPSUS$ got advance warning of the report’s delivery is unknown):

Next on the attack docket was graphics chip vendor Nvidia, who apparently also suffered a data heist, followed by one of the weirdest ransomware-with-a-difference extortion demands on record – open-source your graphics driver code, or else:

As we said in the Naked Security podcast (S3 Ep73):

Normally, the connection between cryptocurrency and ransomware is the crooks figure, “Go and buy some cryptocurrency and send it to us, and we’ll decrypt all your files and/or delete your data.” […]

But in this case, the connection with cryptocurrency was they said, “We’ll forget all about the massive amount of data we stole if you open up your graphics cards so that they can cryptomine at full power.”

Because that goes back to a change that Nvidia made last year [2021], which was very popular with gamers [by discouraging cryptominers from buying up all the Nvidia GPUs on the market for non-graphics purposes].

A different sort of cybercriminal?

For all that the online activities attributed to LAPSUS$ have been seriously and unashamedly criminal, the group’s post-exploitation behaviour often seemed rather old-school.

Unlike today’s multimillion-dollar ransomware attackers, whose primary motivations are money, money and more money, LAPSUS$ apparently aligned more closely with the virus-writing scene of the late 1980s and 1990s, where attacks were commonly conducted simply for bragging rights and “for the lulz”.

(The phrase for the lulz translates roughly as in order to provoke insultingly mirthful laughter, based on the acronym LOL, short for “laughing out loud”.)

So, when the City of London Police announced, just two days after the not-so-mirthful-at-all screenshots of the Okta attack appeared, that it had arrested what sounded like a motley bunch of youngsters in the UK for allegedly being members of a hacking group…

…the world’s IT media quickly made a connection with LAPSUS$:

As far as we’re aware, UK law enforcement has never used the word LAPSUS$ in connection with the suspects in that arrest, noting back in March 2022 simply that “our enquiries remain ongoing.”

Nevertheless, an apparent link with LAPSUS$ was inferred from the fact that one of the youngsters busted was said to be 17 years old, and to hail from Oxfordshire in England.

Fascinatingly, a hacker of that age who allegedly lived in a town just outside Oxford, the city from which the surrounding county gets its name, had been outed by a disgruntled cybercrime rival not long before, in what’s known as a doxxing.

Doxxing is where a cybercriminal releases stolen personal documents and details on purpose, often in order to put an individual at risk of arrest by law enforcement, or in danger of retribution by ill-informed or malevolent opponents.

The doxxer leaked what he claimed was his rival’s home address, together with personal details and photos of him and close family members, as well as a bunch of allegations that he was some kind of linchpin in the LAPSUS$ crew.

LAPUS$ back in the spotlight

As you can imagine, the recent Uber hacking stories revived the name LAPSUS$, given that the attacker in that case was widely claimed to be 18 years old, and was apparently only interested in showing off:

As Chester Wisniewski explained in a recent podcast minisode:

[I]n this case, […] it seems to be “for the lulz”. […T]he person who did it was mostly collecting trophies as they bounced through the network – in the form of screenshots of all [the] different tools and utilities and programs that were in use around Uber – and posting them publicly, I guess for the street cred.

Shortly after the Uber hack, nearly an hour’s worth of what seemed to be video clips from the forthcoming game GTA6, apparently screen captures made for debugging and testing purposes, were leaked following an intrusion at Rockstar games.

Once again, the same young hacker, with the same presumed connection to LAPSUS$, was implicated in the attack.

This time, reports suggest that the hacker had more in mind merely than bragging rights, allegedly saying that they were “looking to negotiate a deal.”

So, when City of London Police tweeted earlier this week that they had “arrested a 17-year-old in Oxfordshire on suspicion of hacking”

…you can imagine what conclusions the Twittersphere quickly reached.

It must be the same person!

After all, what’s the chance that we’re talking about two different and unconnected suspects here?

The only thing we don’t know is quite where the LAPSUS$ moniker comes into it, if indeed it’s involved at all.

O, what a tangled web we weave/When first we practise to deceive.


LEARN HOW TO AVOID LAPSUS$-STYLE ATTACKS

Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.


  Here's one way we think you can estimate the probability   that the suspect in the two arrests is the same person.     We need P, the population of Oxfordshire. (We assume  that by saying "Oxfordshire", the police somewhat   parochially meant "the county districts excluding Oxford  City in the centre of the region", or else they'd have   simply said he was "from Oxford".)    We need A, an estimate of the proportion of people in   the region who are currently aged 17.     We need M, an estimate of the proportion of males in the  population. (The police tweet says "he is in custody".)    Then we have to try to figure out, from that specific   cohort of people, the following probabilities:    F = Prob(those with the needed patience and skills and who are actively into criminal hacking)  G = Prob(criminal hackers of this type in the region who get caught)  H = Prob(those who continue hacking and bragging after getting bail for doing just that)    Based on local government census data and country-wide   age statistics, we get:    P = 563,000  (Cherwell District + Vale of White Horse + West Oxon + South Oxon)  A = 0.05     (5%)  M = 0.5      (one half, or 50%)  F = 0.01     (1%)  G = 0.10     (10%)  H = 0.10     (10%)    You can plug in your own estimates for the above (our 5%  for 17-year-olds band is probably too high, as the stats   we used only have a band covering 15-17) but we worked   out the size of the set simply as: P×A×M×F×G×H.    With our guesses, you get 563,000 × 5% × 50% × 1% × 10% × 10%     That comes out at 1.4 people.    We think that's a 70% (1/1.4) chance it's the same person.      Population: https://insight.oxfordshire.gov.uk/cms/population  Demography: https://www.ethnicity-facts-figures.service.gov.uk/uk-population-by-ethnicity/demographics/age-groups/latest  

http://feeds.feedburner.com/NakedSecurity

Leave a Reply