Mastermind of Lapsus$ Is Likely a Teen Living With His Mother in Oxford, England

Israel blocked Ukraine from buying Pegasus spyware out of fear of Russia, Satellite communications remain offline after month-ago Viasat cyberattack, Ukraine fears cyber defense fatigue, much more

Four researchers investigating the hacking group Lapsus$ on behalf of attacked companies said they believe a 16-year-old who goes by the name “White” and “breachbase” and lives at his mother’s house near Oxford, England is the mastermind. The researchers suspect the teen of being behind some of the major hacks carried out by Lapsus$, but they haven’t been able to conclusively tie him to every hack Lapsus$ has claimed. Lapsus$ has been responsible for a series of high-profile hacks of major corporations, including two recent incidents involving Okta and Microsoft.

Investigators suspect another member of Lapsus$ is a teenager residing in Brazil. According to cyber intelligence firm Flashpoint, the bulk of the group’s fifteen victims has been in Latin America and Portugal. One person investigating the group said security researchers had identified seven individual accounts associated with the hacking group, indicating that there are likely others involved in the group’s operations. According to two researchers, the group suffers from poor operational security, allowing cybersecurity companies to gain intimate knowledge about the teenage hackers.

LAPSUS$ has been recruiting insiders via multiple social media platforms since at least November 2021. One of the core LAPSUS$ members who used the nicknames “Oklaqq” and “WhiteDoxbin,” who is a minor, posted recruitment messages to Reddit last year, offering employees at AT&T, T-Mobile, and Verizon up to $20,000 a week to perform “inside jobs.” Before launching LAPSUS$, WhiteDoxbin was a founding member of a cybercriminal group called the “Recursion Team.”

WhiteDoxbin purchased the Doxbin, a long-running, text-based website where anyone can post the personal information of a target or find personal data on hundreds of thousands who have already been “doxed.” After being forced to sell Doxbin at a loss, WhiteDoxbin leaked the entire Doxbin data set (including private doxes that had remained unpublished on the site as drafts) to the public via Telegram.

Microsoft said LAPSUS$ has used “SIM swapping” to access critical accounts at target organizations. It has also has been known to gain access to victim organizations by deploying the “Redline” password-stealing malware, searching public code repositories for exposed passwords, and purchasing credentials and session tokens from criminal forums. (William Turton and Jordan Robertson / Bloomberg and Brian Krebs / Krebs on Security)

Related: Engadget, CIO News, The Straits Times Tech News, TechDator, Security Affairs, The Hacker News

William Turton @WilliamTurton

Yep. I was having flashbacks to reporting on the Twitter hackers while researching Lapsus$. A lot of similarities in hacking methods and also deep well of insane hacker drama. Clearly Lapsus$ is much more prolific though

briankrebs @briankrebs

From a security pro who fought LAPSUS$: It forces us to shift thinking about insider access. Nation states want longer, strategic access; ransomware groups want lateral movement. LAPSUS$ asks: What can this account get me in the next 6 hours? We haven’t optimized to defend that.

4:03 AM ∙ Mar 24, 2022

briankrebs @briankrebs

It's tempting to dismiss LAPSUS$ as childish and fame-seeking. That may be true. But everyone in charge of security should know that this level of social engineering to steal access is the new norm. Microsoft's post-mortem on this group is worth reading:

microsoft.comDEV-0537 criminal actor targeting organizations for data exfiltration and destruction - Microsoft Security BlogThe activity we have observed has been attributed to a threat group that Microsoft tracks as DEV-0537, also known as LAPSUS$. DEV-0537 is known for using a pure extortion and destruction model without deploying ransomware payloads.

10:39 PM ∙ Mar 23, 2022

---

Marcus Hutchins @MalwareTechBlog

Oh look, it was kids again...

briankrebs @briankrebs

Experts say the LAPSUS$ data extortion group that hit Okta and Microsoft this week is run by a 17-year-old from the UK who recently bought the Doxbin doxing website, and then leaked its database. Naturally, Doxbin responded by doxing the LAPSUS$ leader. https://t.co/bJ2V4Xy74S

10:46 PM ∙ Mar 23, 2022

---

Israeli defense officials blocked a Ukrainian effort to acquire the powerful Pegasus spyware system out of fear that such a move would upset Russia, people familiar with the decision said.

Ukraine’s efforts to bolster its surveillance capabilities had support from the United States, Israel’s closest ally. Israel’s Defense Exports Controls Agency rejected a possible license that would have allowed the NSO Group to offer Pegasus to Ukraine, said the people familiar with the decision, including Western intelligence officials. These people believed this action happened as far back as 2019, but the exact timing was unclear. Concerns about the Russian reaction also affected NSO’s dealings with Estonia, a member of NATO, the sources say.

Ukraine’s desire to acquire Pegasus and Israel’s reluctance to allow the move was previously reported by Israel’s Channel 12. (Craig Timberg, Stephanie Kirchgaessner, Souad Mekhennet, Ellen Nakashima and Shane Harris / Washington Post)

Related: The Guardian, New York Times, Gizmodo, Times of Israel

Eva @evacide

Oh look. It turns out that Israel can block the sale of spyware to certain countries for political purposes when they really want to, but only when it helps authoritarians.

Ramez Naam @ramez

Israel sold spyware to despots and dictators. But not to young democracies Ukraine and Estonia. I see. Fyi @doctorow @evacide https://t.co/Rioa8EXJyk

6:15 PM ∙ Mar 23, 2022

---

A month after a mysterious cyberattack disrupted communications from Viasat’s KA-SAT communications satellite, disrupting communications in Ukraine and across Europe, thousands remain offline in Europe, with companies racing to replace broken modems or fix connections with updates.

For the most part, the Ukrainian government has remained tight-lipped about the attack. However, satellite communications appear to be frequently used in the country. No government has officially attributed the attack to Russia, despite speculation it may have caused the attack to disrupt communications in Ukraine. (Matt Burgess / Wired)

Celestino Güemes @tguemes

So far, the most significant "victory" of Russia in this cyberwar. But don't get too complacent, they have the capability for doing a lot of damage. "A Mysterious Satellite Hack Has Victims Far Beyond Ukraine" buff.ly/3iwIn9C

7:39 AM ∙ Mar 24, 2022

A month after Russia’s invasion of Ukraine, officials there have taken solace that their critical networks have withstood weeks of cyber assaults but worry that Russia’s vaster resources mean that it could wear down the online resistance.

Following defacements of Ukrainian government sites in January, Ukrenergo, the government-owned power transmission company, experienced a spike in efforts to break into its network, triple the levels a year ago. One attempt involved a compromised local employee trying to sneak malware onto the company’s premises. The sudden loss of data connection due to an attack on satellite provider Viasat’s communication satellite has knocked out dozen of military-grade modems. These attacks and others have yet to cease. (Mehul Srivastava / Financial Times)

Anne-Sylvaine Chassany @ChassNews

They were trying everything, trying to break in through our website, trying DDoS,” said Kharchenko. “It was 24/7.” /// Inside Ukraine’s cyber defence: the battle against Moscow’s online salvos via @FT ⁦@MehulAtLarge⁩

on.ft.comSubscribe to read | Financial TimesNews, analysis and comment from the Financial Times, the worldʼs leading global business publication

7:03 AM ∙ Mar 24, 2022

---

Network engineers hailed as hidden heroes are venturing into Ukraine’s war zones to fix cables and base stations in the minutes and hours after Russian bombs have damaged them. But unfortunately, the work is hindered not only by curfews, poor light, bad weather, fried wires, and damaged server racks but also by the near-constant threat of being killed by Russian President Vladimir Putin’s unprovoked war.

Ukraine’s telecommunications companies, Kyivstar, Vodafone, and Lifecell, help fix one another’s bombed-out base stations and let customers move seamlessly over to another operator’s network should their contracted one go down. Outside assistance comes from major network providers, including Sweden’s Ericsson and China’s Huawei. (Thomas Brewster / Forbes)

Frank Bajak @fbajak

The extraordinary lengths Ukrainian telecoms engineers are going to in order to keep the internet up. All this with continued damage reported, including to fiber-optic links: https://t.co/44NpMAKqDs

Thomas Brewster @iblametom

NEW - Going through unsafe “safe” corridors and dodging bombs to get to blitzed telecoms centres to keep the internet on… Here are the stories of the engineers who risk their lives to keep information flowing in and out of bombarded Ukrainian cities. https://t.co/GZZLm1l9OR

10:23 PM ∙ Mar 23, 2022

---

The FBI is sending recruitment ads on social media aimed at disgruntled Russian embassy employees in Washington, DC, hoping to leverage any displeasure they may have over Vladimir Putin’s invasion of Ukraine.

The ads on Facebook, Twitter, and Google are carefully geographically targeted, focused on a narrow perimeter around the embassy. The unlikely star of the campaign is Russian President Vladimir Putin, whose own words are used to encourage people working in or visiting the embassy to talk to the FBI. (Devlin Barrett / Washington Post)

Kim Zetter @KimZetter

FBI ads attempting to recruit disgruntled Russians at embassy in DC appear on Facebook/Twitter/Google and are geographically targeted. Reporter standing next to embassy received the ad in their Facebook feed but not when reporter was farther away.

washingtonpost.comWant to talk? FBI trolls Russian Embassy for disgruntled would-be spiesThe FBI is sending social media ads to cellphones near the Russian Embassy in D.C., suggesting Russian speakers come talk to federal agents. The pitch is part of a ramped-up effort to recruit Russians unhappy about President Vladimir Putin’s invasion of Ukraine.

1:03 AM ∙ Mar 24, 2022

---

Deputy prime minister and head of the Digital Transformation Ministry in Ukraine, Mykhailo Fedorov, confirmed on his Telegram profile that surveillance technology is used to identify dead Russian soldiers to show their family members what happened to the victims of Putin’s war and Ukraine’s defense.

Federov’s admission comes weeks after Clearview AI, the New York-based facial recognition provider, started offering its services to Ukraine for those same purposes. (Thomas Brewster / Forbes)

Related: Reuters

Sikh For Truth @SikhForTruth

"This is a human rights catastrophe in the making. When facial recognition makes mistakes in peacetime, people are wrongly arrested. When facial recognition makes mistakes in a war zone, innocent people get shot."

forbes.comUkraine Starts Using Facial Recognition To Identify Dead Russians And Tell Their RelativesUkraine’s deputy prime minister says the tech will help provide transparency about how many Russian soldiers are dying in the war. Critics say the use of facial recognition in war zones is a disaster in the making.

7:14 PM ∙ Mar 23, 2022

---

Nestlé, which said it would stop selling KitKats and other brands in Russia, says that corporate data leaked online this week by Anonymous was not stolen but was publicly available test data that was unintentionally made accessible online for a short time on a single day business test website.

Nestlé said it quickly investigated the leak and no further action was deemed necessary. The 10GB of data Anonymous claimed to have stolen is a 6MB download that unpacks to less than 100MB of plain-text SQL database dumps and does appear to be test data rather than a full-blown internal leak. (Jessica Lyons Hardcastle / The Register)

Related: The Record

Identity-protection firm Okta has come under fire for its slow drip of information that left its customers uncertain what to do in the wake of a breach of the company by hacking group Lapsus$.

In a webinar briefing, Okta’s Chief Security Officer David Bradbury said the company should have moved faster after receiving the initial report about the incident on March 17, adding that he expects some questions will remain unanswered. (David Uberti and James Rundle / Wall Street Journal)

Related: Venture Beat

Researchers at ESET have linked a China-based advanced persistent threat (APT) group known as Mustang Panda to an ongoing cyber-espionage campaign using a previously undocumented variant of the PlugX remote access trojan they call Hodur on infected machines.

Hodur is equipped to handle a variety of commands, enabling the implant to gather extensive system information, read and write arbitrary files, execute commands, and launch a remote cmd.exe session. The victims include research entities, internet service providers (ISPs), and European diplomatic missions primarily located in East and Southeast Asia. (Ravie Lakshmanan / The Hacker News)

Related: We Live Security, Sensors Tech Forum

Cashio Dollar, a stablecoin on the Solana blockchain, has been exploited for around $52.8 million and lost practically all of its value.

The exploit used to crash the coin is a protocol called infinite mint glitch, where a protocol is mistakenly designed to allow a user to mint as many tokens as they would like, typically without providing any collateral that might otherwise be needed. Once someone can mint infinite tokens, they can sell them on the market, crushing a token's price. (Tim Copeland / The Block)

Related: Decrypt, Coindesk, Bitcoin News, CryptoSlate, Web3isjustgoinggreat

The FBI might be coming up short when helping ransomware victims restore their systems, according to an investigation released Thursday by the Senate Homeland Security and Governmental Affairs Committee’s ranking member Rob Portman (R-OH).

The report documents the experiences of three victims targeted by the REvil ransomware gang and shows how difficult it is for all organizations to account for all vulnerabilities and defend against sophisticated cyber adversaries. The victims told the committee that the Federal Bureau of Investigation (FBI) prioritized its investigative efforts into REvil’s operations over protecting the companies’ data and mitigating damage. The companies also indicated they did not receive advice on best practices for responding to a ransomware attack or other helpful guidance from the Federal Government. (Tonya Jo Riley / Cyberscoop)

Related: The Record, Bloomberg Law, Committee on Homeland Security and Governmental Affairs

To close the 3.5 million cybersecurity jobs gap, Microsoft said it would expand its cybersecurity skilling initiative to 23 additional countries.

Microsoft initially launched the skilling campaign in the U.S. last fall, partnering with 135 community colleges to skill and recruit workers into the cybersecurity industry. The countries, which include Australia, Brazil, Canada, and India, were chosen due to their “elevated cyberthreat risk.” (Amber Burton / Protocol)

Related: Microsoft

Kate Behncken @katebehncken

Last year, we launched a national campaign to help close the cybersecurity skills gap. Today, @Microsoft is expanding its commitment to an additional 23 countries to strengthen the world’s cybersecurity workforce and digital defenses.

blogs.microsoft.comClosing the cybersecurity skills gap – Microsoft expands efforts to 23 countries - The Official Microsoft BlogCybersecurity continues to be a significant threat for governments, businesses and individuals around the world. From supply chain disruptions to ransomware attacks, cybercriminals have become increasingly sophisticated and the threat landscape more diverse. These cybersecurity challenges are compou…

4:25 PM ∙ Mar 23, 2022

---

Enterprise secure browsing company Island announced it had raised $115 million in a Series B venture funding round.

New York-based global venture capital and private equity firm Insight Partners led the round with existing investors Stripes and Sequoia Capital also participating. (Carly Page / TechCrunch)

Related: Cybersecurity Insiders, Crunchbase News, Business Wire, FinSMEs

Eyeball scanning user authentication company Worldcoin is raising $100 million from investors, including Andreessen Horowitz, a previous backer, and Khosla Ventures, through the sale of its Worldcoin tokens, according to two people with direct knowledge of the matter.

Worldcoin plans to create a global distribution of cryptocurrency by scanning people’s eyes through volleyball-sized chrome spheres called “Orbs” for user authentication. (Kate Clark and Berber Jin / The Information)

Related: Security Week, Coindesk, Decrypt, Silicon Angle

Cyberattack defense company MixMode announced it had raised $45 million in a Series B venture funding round.

PSG led the round with participation from existing investor Entrada Ventures. (Kyle Alspach / Venture Beat)

Related: Business Wire, Help Net Security, FinSMEs, PacBizTimes

Security and compliance solutions provider Theta Lake announced it had raised $50 million in a Series B venture funding round.

Battery Ventures led the round, while collaboration platform vendors that participated were Cisco Investments, RingCentral Ventures, Zoom, and Salesforce Ventures. Other backers in the round were Neotribe Ventures and Lightspeed Venture Partners. (Kyle Alspach / Venture Beat)

Related: Dot.la, Silicon Angle, FinSMEs, MSSP Alert

Image by Gerd Altmann from Pixabay