Mastermind of Lapsus$ Is Likely a Teen Living With His Mother in Oxford, England
Israel blocked Ukraine from buying Pegasus spyware out of fear of Russia, Satellite communications remain offline after month-ago Viasat cyberattack, Ukraine fears cyber defense fatigue, much more
Four researchers investigating the hacking group Lapsus$ on behalf of attacked companies said they believe a 16-year-old who goes by the name “White” and “breachbase” and lives at his mother’s house near Oxford, England is the mastermind. The researchers suspect the teen of being behind some of the major hacks carried out by Lapsus$, but they haven’t been able to conclusively tie him to every hack Lapsus$ has claimed. Lapsus$ has been responsible for a series of high-profile hacks of major corporations, including two recent incidents involving Okta and Microsoft.
Investigators suspect another member of Lapsus$ is a teenager residing in Brazil. According to cyber intelligence firm Flashpoint, the bulk of the group’s fifteen victims has been in Latin America and Portugal. One person investigating the group said security researchers had identified seven individual accounts associated with the hacking group, indicating that there are likely others involved in the group’s operations. According to two researchers, the group suffers from poor operational security, allowing cybersecurity companies to gain intimate knowledge about the teenage hackers.
LAPSUS$ has been recruiting insiders via multiple social media platforms since at least November 2021. One of the core LAPSUS$ members who used the nicknames “Oklaqq” and “WhiteDoxbin,” who is a minor, posted recruitment messages to Reddit last year, offering employees at AT&T, T-Mobile, and Verizon up to $20,000 a week to perform “inside jobs.” Before launching LAPSUS$, WhiteDoxbin was a founding member of a cybercriminal group called the “Recursion Team.”
WhiteDoxbin purchased the Doxbin, a long-running, text-based website where anyone can post the personal information of a target or find personal data on hundreds of thousands who have already been “doxed.” After being forced to sell Doxbin at a loss, WhiteDoxbin leaked the entire Doxbin data set (including private doxes that had remained unpublished on the site as drafts) to the public via Telegram.
Microsoft said LAPSUS$ has used “SIM swapping” to access critical accounts at target organizations. It has also has been known to gain access to victim organizations by deploying the “Redline” password-stealing malware, searching public code repositories for exposed passwords, and purchasing credentials and session tokens from criminal forums. (William Turton and Jordan Robertson / Bloomberg and Brian Krebs / Krebs on Security)
briankrebs @briankrebsFrom a security pro who fought LAPSUS$: It forces us to shift thinking about insider access. Nation states want longer, strategic access; ransomware groups want lateral movement. LAPSUS$ asks: What can this account get me in the next 6 hours? We haven’t optimized to defend that.
briankrebs @briankrebsExperts say the LAPSUS$ data extortion group that hit Okta and Microsoft this week is run by a 17-year-old from the UK who recently bought the Doxbin doxing website, and then leaked its database. Naturally, Doxbin responded by doxing the LAPSUS$ leader. https://t.co/bJ2V4Xy74S
Israeli defense officials blocked a Ukrainian effort to acquire the powerful Pegasus spyware system out of fear that such a move would upset Russia, people familiar with the decision said.
Ukraine’s efforts to bolster its surveillance capabilities had support from the United States, Israel’s closest ally. Israel’s Defense Exports Controls Agency rejected a possible license that would have allowed the NSO Group to offer Pegasus to Ukraine, said the people familiar with the decision, including Western intelligence officials. These people believed this action happened as far back as 2019, but the exact timing was unclear. Concerns about the Russian reaction also affected NSO’s dealings with Estonia, a member of NATO, the sources say.
Ukraine’s desire to acquire Pegasus and Israel’s reluctance to allow the move was previously reported by Israel’s Channel 12. (Craig Timberg, Stephanie Kirchgaessner, Souad Mekhennet, Ellen Nakashima and Shane Harris / Washington Post)
Ramez Naam @ramezIsrael sold spyware to despots and dictators. But not to young democracies Ukraine and Estonia. I see. Fyi @doctorow @evacide https://t.co/Rioa8EXJyk
A month after a mysterious cyberattack disrupted communications from Viasat’s KA-SAT communications satellite, disrupting communications in Ukraine and across Europe, thousands remain offline in Europe, with companies racing to replace broken modems or fix connections with updates.
For the most part, the Ukrainian government has remained tight-lipped about the attack. However, satellite communications appear to be frequently used in the country. No government has officially attributed the attack to Russia, despite speculation it may have caused the attack to disrupt communications in Ukraine. (Matt Burgess / Wired)
A month after Russia’s invasion of Ukraine, officials there have taken solace that their critical networks have withstood weeks of cyber assaults but worry that Russia’s vaster resources mean that it could wear down the online resistance.
Following defacements of Ukrainian government sites in January, Ukrenergo, the government-owned power transmission company, experienced a spike in efforts to break into its network, triple the levels a year ago. One attempt involved a compromised local employee trying to sneak malware onto the company’s premises. The sudden loss of data connection due to an attack on satellite provider Viasat’s communication satellite has knocked out dozen of military-grade modems. These attacks and others have yet to cease. (Mehul Srivastava / Financial Times)
Network engineers hailed as hidden heroes are venturing into Ukraine’s war zones to fix cables and base stations in the minutes and hours after Russian bombs have damaged them. But unfortunately, the work is hindered not only by curfews, poor light, bad weather, fried wires, and damaged server racks but also by the near-constant threat of being killed by Russian President Vladimir Putin’s unprovoked war.
Ukraine’s telecommunications companies, Kyivstar, Vodafone, and Lifecell, help fix one another’s bombed-out base stations and let customers move seamlessly over to another operator’s network should their contracted one go down. Outside assistance comes from major network providers, including Sweden’s Ericsson and China’s Huawei. (Thomas Brewster / Forbes)
Thomas Brewster @iblametomNEW - Going through unsafe “safe” corridors and dodging bombs to get to blitzed telecoms centres to keep the internet on… Here are the stories of the engineers who risk their lives to keep information flowing in and out of bombarded Ukrainian cities. https://t.co/GZZLm1l9OR
The FBI is sending recruitment ads on social media aimed at disgruntled Russian embassy employees in Washington, DC, hoping to leverage any displeasure they may have over Vladimir Putin’s invasion of Ukraine.
The ads on Facebook, Twitter, and Google are carefully geographically targeted, focused on a narrow perimeter around the embassy. The unlikely star of the campaign is Russian President Vladimir Putin, whose own words are used to encourage people working in or visiting the embassy to talk to the FBI. (Devlin Barrett / Washington Post)
Deputy prime minister and head of the Digital Transformation Ministry in Ukraine, Mykhailo Fedorov, confirmed on his Telegram profile that surveillance technology is used to identify dead Russian soldiers to show their family members what happened to the victims of Putin’s war and Ukraine’s defense.
Federov’s admission comes weeks after Clearview AI, the New York-based facial recognition provider, started offering its services to Ukraine for those same purposes. (Thomas Brewster / Forbes)
Nestlé, which said it would stop selling KitKats and other brands in Russia, says that corporate data leaked online this week by Anonymous was not stolen but was publicly available test data that was unintentionally made accessible online for a short time on a single day business test website.
Nestlé said it quickly investigated the leak and no further action was deemed necessary. The 10GB of data Anonymous claimed to have stolen is a 6MB download that unpacks to less than 100MB of plain-text SQL database dumps and does appear to be test data rather than a full-blown internal leak. (Jessica Lyons Hardcastle / The Register)
Related: The Record
Identity-protection firm Okta has come under fire for its slow drip of information that left its customers uncertain what to do in the wake of a breach of the company by hacking group Lapsus$.
In a webinar briefing, Okta’s Chief Security Officer David Bradbury said the company should have moved faster after receiving the initial report about the incident on March 17, adding that he expects some questions will remain unanswered. (David Uberti and James Rundle / Wall Street Journal)
Related: Venture Beat
Researchers at ESET have linked a China-based advanced persistent threat (APT) group known as Mustang Panda to an ongoing cyber-espionage campaign using a previously undocumented variant of the PlugX remote access trojan they call Hodur on infected machines.
Hodur is equipped to handle a variety of commands, enabling the implant to gather extensive system information, read and write arbitrary files, execute commands, and launch a remote cmd.exe session. The victims include research entities, internet service providers (ISPs), and European diplomatic missions primarily located in East and Southeast Asia. (Ravie Lakshmanan / The Hacker News)
Cashio Dollar, a stablecoin on the Solana blockchain, has been exploited for around $52.8 million and lost practically all of its value.
The exploit used to crash the coin is a protocol called infinite mint glitch, where a protocol is mistakenly designed to allow a user to mint as many tokens as they would like, typically without providing any collateral that might otherwise be needed. Once someone can mint infinite tokens, they can sell them on the market, crushing a token's price. (Tim Copeland / The Block)
The FBI might be coming up short when helping ransomware victims restore their systems, according to an investigation released Thursday by the Senate Homeland Security and Governmental Affairs Committee’s ranking member Rob Portman (R-OH).
The report documents the experiences of three victims targeted by the REvil ransomware gang and shows how difficult it is for all organizations to account for all vulnerabilities and defend against sophisticated cyber adversaries. The victims told the committee that the Federal Bureau of Investigation (FBI) prioritized its investigative efforts into REvil’s operations over protecting the companies’ data and mitigating damage. The companies also indicated they did not receive advice on best practices for responding to a ransomware attack or other helpful guidance from the Federal Government. (Tonya Jo Riley / Cyberscoop)
To close the 3.5 million cybersecurity jobs gap, Microsoft said it would expand its cybersecurity skilling initiative to 23 additional countries.
Microsoft initially launched the skilling campaign in the U.S. last fall, partnering with 135 community colleges to skill and recruit workers into the cybersecurity industry. The countries, which include Australia, Brazil, Canada, and India, were chosen due to their “elevated cyberthreat risk.” (Amber Burton / Protocol)
Enterprise secure browsing company Island announced it had raised $115 million in a Series B venture funding round.
New York-based global venture capital and private equity firm Insight Partners led the round with existing investors Stripes and Sequoia Capital also participating. (Carly Page / TechCrunch)
Eyeball scanning user authentication company Worldcoin is raising $100 million from investors, including Andreessen Horowitz, a previous backer, and Khosla Ventures, through the sale of its Worldcoin tokens, according to two people with direct knowledge of the matter.
Worldcoin plans to create a global distribution of cryptocurrency by scanning people’s eyes through volleyball-sized chrome spheres called “Orbs” for user authentication. (Kate Clark and Berber Jin / The Information)
Cyberattack defense company MixMode announced it had raised $45 million in a Series B venture funding round.
PSG led the round with participation from existing investor Entrada Ventures. (Kyle Alspach / Venture Beat)
Security and compliance solutions provider Theta Lake announced it had raised $50 million in a Series B venture funding round.
Battery Ventures led the round, while collaboration platform vendors that participated were Cisco Investments, RingCentral Ventures, Zoom, and Salesforce Ventures. Other backers in the round were Neotribe Ventures and Lightspeed Venture Partners. (Kyle Alspach / Venture Beat)