I was researching cybercrime for years and yea motivations of this adversary are confusing and incoherent so I would rather say they are group of real life and/or internet friends who are having fun showing off and practicing their skills something like hackers who deface websites "en masse".
From what Microsoft said DEV-0537 is opportunistic; they are Purchasing credentials and session tokens from criminal underground forums
Paying employees at targeted organizations (or suppliers/business partners) for access to credentials and MFA approval
Searching public code repositories for exposed credentials
and they are exploiting publicly known exploits in order to infiltrate organizations.
Like somebody already mentioned they are similar to LulzSec in a way they are partially financially motivated, partially hacktivist and partially bragging around but all in all they are doing it for the "lulz".
Microsoft: "these are bad guys motivated by theft and destruction, practicing extortion as a business model"
HN: "These are kids doing it for the lulz"
I'm hardly a MS supporter, but the facts seem to be on MS side here. The minute you pay somebody to gather access and then proceed to blackmail the organisation, you are organized crime. Just because they brag about it, it doesn't mean they're in it for the fun; they just think they are untouchable because they're outside US territory.
It is somewhat sad that this can even be considered "hacktivism" these days. Extortion has nothing to do with activism.
One month ago in my country(Croatia) a high school pupil hacked big Telecom/ISP, stole personal information of 100 000 customers and demanded $500 000 extortion fee so he won't leak all that personal information he stole. Kids are not alright these days; this guys are most likely not kids but they are not your typical cybercriminals who operate in stealth. They are all out/public about their operations and hacks and that's not how financially motivated adversaries act.
> ... a high school pupil hacked big Telecom/ISP, stole personal information of 100 000 customers and demanded $500 000 extortion fee
I think it's a sign of a cultural shift. Not in hacking but in perception of money.
Money used to have this unique value, representing work somebody has put in.
Nowadays real money is increasingly looking like some dumb in-game currency, generally useful only for buying cosmetics and consumables. Awarded arbitrarily, so some people and organisations have awarded themselves or cheesed out of others completely astronomical amounts of it. And on the low end you might doing three job-quests every day and still not have enough for consumables you need daily just to play the game without suffering too much.
Governments apparently are able to pull hundred billions out of their a-ses to buy bunch of tanks from whomever despite lamenting poor economy just a while ago.
In the eyes of the kid demanding 500k RL karma points is not a crime, just trying to utilize opportunity similar to those so many old folk already apparently exploited. Because there's no way they could earn it by working average job.
>I think it's a sign of a cultural shift. Not in hacking but in perception of money.
I think it is cultural shift in both hacking and in money. Computers and internet enabled kids to consume unlimited amount of information, it enabled them to learn, communicate and play around easier than ever. Some of them play video games and some of them play with "hacking". Hacking is something like stealing money from other kids but nowadays it is in the digital realm and not only stealing money from other kids but stealing money from everybody.
On the other hand there are cryptocurrencies which enabled them to move money around with ease and without any legal requirements. It's not like the underaged high school kid could open a bank account and then demand extortion payment to be made. The only thing he must do is to download a Bitcoin wallet.
But I agree with your assertion that the line is blurred between hard cash and digital cash including in-game currencies, cryptocurrencies plus all other digital representations of value.
its not really the kind of cultural shift you think it is, the world gets more and more competitive each day and if you view this from the perspective of a high schooler, you can see its not as easy as it was 10 or 20 years before, the motivation is not just for fun or have money to spend on "wants", its rather money to survive in this world where competitiveness is too high for some, as a fellow high schooler i say this
But do you realize if you get caught you will go to jail and your competitiveness goes to zero instantly; not only in the present but also in the future because ex-convicts are having a hard time finding a job.
>you can see its not as easy as it was 10 or 20 years before
It was never easy. In the past living standards were lower and there was less education available hence 90% of people were farmers with no education or very little formal education.
This a very insightful take on the current crypto and hacking cultures. Some people literally hoard money like dragons, then the megacorporations buy anything that threatens their virtual monopolies, then the rulers make questionable decisions that seem against the public good. The game feels rigged, and some people are tired of it and trying to play by other rules or plainly cheat.
People who (like many of us HN readers) can live well playing by the rules are the NPCs.
They are impossible to decipher because their demands are changing[0].
Their extortion of Nvidia:
"Remove a feature known as LHR, short for "Lite Hash Rate," or see the further leaking of stolen data."
"We decided to help mining and gaming community," Lapsus$ members wrote in broken English. "We want nvidia to push an update for all 30 series firmware that remove every lhr limitations otherwise we will leak hw folder. If they remove the lhr we will forget about hw folder (it's a big folder). We both know lhr impact mining and gaming."
"Lapsus$ modified its demand. Now, the group also wants Nvidia to commit to making its GPU drivers completely open source. If Nvidia does not comply, Lapsus$ says, the company can expect to see a new leak that would include the complete silicon, graphics, and computer chipset files for all its recent GPUs."
I guarantee this is a group of less than 8, most of whom are under 23 and grew up in middle-class Brazilian families and have had access to computers (unfiltered and unmoderated) since age 10.
"Lapsus$ emerged just a few months ago, at first focused almost exclusively on Portuguese-language targets. In December and January, the group hacked and attempted to extort Brazil’s health ministry, the Portuguese media giant Impresa, the South American telecoms Claro and Embratel, and Brazilian car rental company Localiza, among others. In some cases, Lapsus$ also mounted denial-of-service attacks against victims, making their sites and services unavailable for a period of time[0]."
It's also a relatively easy, cheap and common opsec strategy to mask your geographic location by constantly sharing news from a place you're not actually located at. Same as saying "good morning" every day to your "team" when actually it's night at your location.
I read years ago that the US "SEAL Team 6" was named to throw off adversaries (primarily Russia at the time; maybe again now?) that the US actually HAD at least 6 SEAL teams.
I knew somebody would bring this up; I mentioned financial motivation because these guys in particular are merging the line between financial motivation, hacktivism and bragging about their hacks. On the other hand I know LulzSec wasn't financially motivated but some individual members of LulzSec were involved in criminal activities motivated by profit in their past hacking "careers". LulzSec was all about mocking computer/internet security, bragging about their hacks and making fun about it, all wrapped up in some sort of hacktivism.
"Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact."
Does that mean that Microsoft only managed to stop the hack-in-progress because LAPSUS publicly bragged about hacking Microsoft?
This is wild. What is the psychology behind this group? If they're not deploying ransomware, it seems like their purpose is to penetrate companies "because they can." Publicly offering to pay employees for credentials is a dynamic that I've never heard, and in a rule-less game, seems like it breaks new rules.
Yeah they are selling some of the exploits (the low hash rate enable on nvidia cards) but even then they say that with what they released it up until now it would be possible to figure out the way to do it by yourself. So the "for the lulz" element is very much central to their breaches and honestly that's a bit... refreshing? Not that I side with them or anything, but this is definitely more fun than ransomware.
> Not that I side with them or anything, but this is definitely more fun than ransomware.
I don't side with them. In the grand scheme of things they did open my eyes to the terrible IR processes of a much hyped company (okta), and they exposed how poor their product is/was. Security companies should be held to a higher standard when discussing breaches and IR. okta very much deserved it (and so does microsoft a 1000x). I don't endorse it but I can't hide my Schadenfreude either.
Or maybe they just want stuff for themselves and then uploaded it for the lulz?
I've heard of someone who completely reverse engineered the iTunes DRM just because he wanted to download 4K to watch the series that he had "bought" from Apple offline on his TV. It's more of a myth because that person refuses to release source code or details, but then again that is probably a sane decision. Still, I would be willing to believe that someone would do that just because they themselves feel irritated by the DRM.
Add a bit of youthful rakishness and someone might then upload the result to bittorrent, just because they can and don't care, i.e. "for the lulz".
Yup; the Russian hacker groups are supposedly independent, Anonymous is supposedly independent, but there's probably some pretty big overlaps in Venn diagrams if you look closer.
I used to be on an IRC server that ran a honeypot to then find actual compromised servers and check them out - IIRC there were Ecuadorean government servers, and a load of routers in India, etc.
Most of it was just malware analysis and people creating pubstro servers for fun with different communities.
its like superfriends, everyone has thier own gig and support each other when crossing paths, but the hall of justice/legion of doom is the muster point when SHTF
Reminds me of what deletescape and their associates did. They just broke into stuff and leaked it. There's lots of tweets and telegram messages explaining their motives. Now most of the tweets and telegram messages are deleted but there's still some to see in article's and even in the FBI indictment.
Tillie had TERRIBLE opsec from day one tho. Everyone knew her real name and face. I once mentioned this in the group chat and she promptly tweeted a selfie saying "don't have opsec like me".
Considering this, it lastes pretty long actually.
Disclaimer: I was in no way involved and publicly stated my disapproval in the deletescape Chats. It was however a thrill to see these things go down. Although it is equally as sad how this young lady threw away a lot of future potential for her ideals, without making any significant changes imo
They seem to be someone who is clearly inexperienced and support "hacker ethos" and don't really know what they want. They started talking about "demanding" code under open source licenses and stuff like that....
I think they are just some young hackers that started punching above their weight, and something will happen to them sooner or later. But let's see
I find it hard to believe that someone who is "clearly inexperienced" has managed to do a lot of high-level hacks in a short amount of time; I mean if someone who is "clearly inexperienced" has the capacity to do all that, we are so fucked.
> I mean if someone who is "clearly inexperienced" has the capacity to do all that, we are so fucked.
I don’t know whether or not these folks are inexperienced, but it’s hard to overstate how truly bad software is, these days. Many software developers are inexperienced, and the entire industry is built like a house of cards.
The bar is very, very low, and over reliance on dependencies seems to be something that programmers actually boast about. Another point of pride seems to be deliberately ignoring experience and a careful approach (“Move fast and break things”).
But there’s certainly good money in being a security consultant. Lots of low-hanging fruit. That industry is growing like a weed.
These days? I remember in the late 90s, early 2000s, and it really felt like 1/3 or so of all websites were vulnerable to things like PHP injection and SQL injection. I remember having to bypass login pages to do benign things like changing my password.
Websites have always been bad. In fact, they are probably better, these days, than they used to be. Web designers have traditionally not really been engineers, as such, so we can't really expect engineering discipline from them.
Despite that, I feel like Web designers are a bit more disciplined, these days, than the days of yore. It may be because the industry has matured, and there's now a prevalence of knowledge on the matter (as well as a lot of tools and frameworks that are actually pretty good).
The actual software behind them, that said tools and frameworks connect to, on the other hand...
Considering the expansion rate of the developer market, chances are that rate has actually gone down. But so has the intelligence of attackers, for the same reason.
> has managed to do a lot of high-level hacks in a short amount of time
Correct me if I’m wrong but do their attacks actually involve significant skill?
Their offer of buying credentials/access from employees suggests their bank account might ultimately be bigger than their skills and they’re leveraging that approach.
Of course, the question is, where is that money coming from and whether anyone is bankrolling them, and if so, what their motives are.
> Of course, the question is, where is that money coming from and whether anyone is bankrolling them, and if so, what their motives are.
Wild speculation here, but if they are located in a country that is recently a lot less friendly with the west, maybe they decided that being overt isn't a real problem given what they are doing is de facto legal where they live. Being a Belarusian or Russian cybercriminal targeting the west is probably less risky now than ever before (and it wasn't especially problematic before.)
I was talking about their ability to bribe company insiders. You need to have money to begin with to be able to pay said bribes - where is it coming from, and why are they spending money to breach into companies for seemingly no major benefit?
Never underestimate how much time, energy, and a total lack of care for rules a university student has, whilst simultaneously looking for something to prove[1]
From what I understand (IANAL), the bar for what constitutes criminal activity with computers is very, very low. As in, arguably the recent post by Julia Evans on undocumented web APIs[1] is a tutorial on performing criminal acts.
Which is not a judgment on whether LAPSUS$ is doing genuinely bad stuff—I don’t know—only to say that, when computers are involved, “criminal” not only doesn’t make a good consensus point on avoiding a slippery slope into overall badness, it doesn’t even seem to make a good heuristic on whether something is bad or not.
Generally speaking hacking is unauthorized computer access.
More specifically hacking under US law is;
Californian law for example:
1. Knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data or computer system to:
2. Execute a scheme to defraud or extort a victim.
3. Wrongfully control or obtain money, property or data.
4. Knowingly accesses and without permission takes, copies, or makes use of any data from a computer or takes or copies supporting documentation.
5. Knowingly introduces any contaminant or virus into any computer system.
6. Knowingly and without permission uses the Internet domain name or profile of another individual, corporation, or entity in connection with the sending of electronic messages that damage a computer system.
7. Knowingly and without permission disrupts or causes the denial of governmental computer services.
8. Knowingly and without permission disrupts or causes the denial of public safety infrastructure computer services.
US Federal Law:
Knowingly accessing a computer without authorization to obtain:
Financial information
Information from a governmental department or agency
Information from any protected computer with the intent to defraud
Knowingly causing the transmission of a program, information, or code from a protected computer
Knowingly accessing a protected computer and causing damage and loss to that computer
Leaking data isn't petty crime. I can believe a student with anti-corporate views could see what LAPSUS$ are doing as a good thing. Or just a student who is good at cracking and wants to show off, criminality be damned.
find a group of enthusiasts that are not quite there yet, such as an enclave of SKitties. give them superpowers, feed the hunger for recognition, silently run support operations, grease things up with cash so it feeds the illusion, in short troll them into thinking they are leet. let them be noticed, and create a fog of war.
step two
now that the show is on start actually infiltrating your hacks in position for a major attack. let your SKitties be the fall guys.
when its done cooking,it smells like state sponsored espionage.
If it's state-sponsored the number of nations is pretty limited. They attacked Brazilian government infrastructure, which rules out Russia, US, Israel and China who all maintain strong Brazilian relations.
That doesn't leave very many actors capable or willing to do this.
They also use Brazilian slang, which granted could just be disinfo to throw people off.
There are no friends in the spy game; this should have become abundantly clear after the revelations on US tapping the German chancellor as a matter of routine.
There might well be something that, say, some US interests want and Brazilian entities are not willing to share. Enter a bit of XXI century spycraft, and everyone is happy.
This said, it seems a bit too exposed to be an intelligence op, even as diversion. Even if misdirecting, it is raising alarms and improving the security posture of the affected organisations afterwards, which you typically wouldn't want as a spook. You want to put down invisible roots, to let everyone sleep soundly while you go about your business undetected.
To me this looks like an average gang with slightly above-average tech skills, drunk on their own success - with a mindset to "get rich, or die trying".
> There are no friends in the spy game; this should have become abundantly clear after the revelations on US tapping the German chancellor as a matter of routine.
Even in the late 1990s, the public learned the FVEY countries had explicit agreements to not spy on each others' governments. Anyone paying attention knew that meant that the US probably considered all non-FVEY governments fair game. Germany might feign surprise, but German counterintelligence knew there was a club, and they weren't in it.
In the early 2000s, I was contracted out to write (unclassified) network simulations for a US defense contractor. I was using a library written by a colleague contracted out to a French defense contractor. I found an apparent bug in poorly commented code (treating unexpected error codes as successes). My client instructed me that I could talk to my French colleague over the phone and verify that it really was a bug, but if the colleague asked, I couldn't tell him what the code was being used for (apart from general network simulation). Furthermore, if my colleague asked a second time what the library was being used for, I was to (1) assume he was working for French intelligence,(2) hang up immediately, and (3) report the incident to my client. My French colleague was experienced and smart enough not ask the forbidden question. I was smart enough not to ask him about the purpose for which he originally wrote the library. We both knew the rules. Nobody paying attention is surprised that even close allies routinely spy on each other.
Israeli and the US' secret services doesn't care about allies or strong relations. They do whatever they deem necessary to do their job and both have been caught red-handed multiple times.
Drain cryptocurrency accounts and use money to buy shares in companies who's financials you have access to. Sell your data to private bidders. Plenty of ways to make money without ransomware.
Using stock trading is a TERRIBLE idea, that's how you get caught. SEC doesn't play around. I doubt they are doing that, private bidders seems way more likely.
They really don’t and you’re just promoting the same mystical thinking about how the NSA / FBI / CIA is totally wiretapping us all and knows all our details.
Ask yourself the solve rate on most serious crime on the US.
While the SEC has “algorithms” to look for insider trading, it’s most relying on folks with bad OPSEC bragging and getting turned in by bitter third-parties.
Source: worked for Thesys / Thesys CAT group before our fucktard brass lost us the contract.
Sharks, cats, possums, bored rural people with shotguns, a rockslide in the wrong valley in South America (there's pretty much just one pass that all east/west SA traffic passes through). All of these are things that occasionally take out either comms, or data centres on a semi-regular basis.
Not a computer security engineer here but reading the article feels like in most organisations there are no safeguards in place for modifying global highly privileged accounts (the article cites introducing a global Office 365 admin and then removing existing global admins, etc).
Are there not procedures like double/triple validation of sensitive changes (like "creating new global admin account") by accredited humans?
I mean, in my line of work (finance), this is something that is enforced in multiple sensitive contexts such as money transfers - at certain thresholds, even the highest privileged person in the organisation cannot single-handedly authorise the operation.
But it’s annoying to program. You need the same records as an undo/redo system, except they’re only applied after approval. Finance does it because everyone knows finance is boring already, but I’m not sure it would be possible to retain a JS programmer in another sector if the 6-eye principle had to be applied for every modification. It’s already hard to motivate them for i18n…
Maybe stop hiring 19 year olds who just did a "become a Web developer in 6 weeks" bootcamp to code your core security features then. Pay peanuts, get monkeys.
It’s in France, it’s just for Java + React not rocket science.
Claiming $120k is a shit salary is really entitled, it’s among the top 20% of engineers in France and top 7% of an entire country. For Java and React. Glad I don’t have him among my employees.
Your security staff have access to literally everything in your company, visibility into all communication and trust with physical devices. If they're not the highest paid of your engineering staff you screwed up. Glad I don't have the misery of being your employee.
This is one of the biggest issues people don't realize. A react dev doing fully frontend stuff is usually paid more than a security guy. Management views this as the developer making a product and giving money. But with insurance no longer covering hacks like they used to, and with the absolute amount of ways into organizations, security people can literally save a company from millions of losses and possible collapse.
Has there been any other high-profile uber-public data leaks before LAPSUS? Before the last few months it seemed like every data breach was simply documented with the assumption being that the dump would be sold on tor hidden services, but now it’s in an open-access telegram with thousands of benign citizens waiting for the next treasure trove of data to be dropped.
> but now it’s in an open-access telegram with thousands of benign citizens waiting for the next treasure trove of data to be dropped.
The extortion model is interesting because you can flip-the-script and just extort the company and if they don't pay, you leak it. The upshot to this approach is that for LAPSUS$, it increases their reputation and credibility for future attacks. In the "old model" where you try to sell the data leak itself, you still have to find a willing buyer and negotiate a price. The nice thing about the new model is that it eliminates the search for a buyer and a price, and leaking the data is free marketing. It's kind of a win/win. Either they get paid in cash or they get paid in clout.
There have been high profile uber-public data leaks before LAPSUS$, but I don't think many have been married to a "business model" like this. E.g., Epik got hacked, but that was ideological. Same with Hacking Team, Equation Group, arguably all of Snowden's stuff. LulzSec was infamous for just doing things for fun, not for cash.
I don't see the novelty. This was already happening in the 90s, and it fell out of favour only because interacting with the victim is risky: like in the movies, the second call you make to the family, after kidnapping somebody, will have the authorities listening in. Shopping data around the underground is much less likely to attract attention. The fact these guys prefer to go back to basics imho is a sign of inexperience or extreme certainty they won't suffer consequences (i.e. because they're unreachable by US authorities).
So there is plenty of open guides on running a server, locking down a single server, but I do not know of guides for locking down an organisation - basically the RFC on how to run a SOC/Noc. Does such a thing exist?
I am not looking for a white paper on Cisco network monitoring but ... somethining opinionated. A blank sheet of paper approach that would only have Fido access, maybe limited to openBSD or whatever.
Something that as a small company one could build something not embarrassing.
Our strategy as a startup (<10 employees) is to operate as if our entire infrastructure can disappear instantly. 99% of what we need to rebuild lives in git, which is extremely resilient considering the number of pcs and build machines involved with recent checkouts.
We do not store any customer secrets or other PII that could actually require a breach disclosure. At the end of the day it would just be a stupid messy fight with the hackers and then we'd be back in business the following on a clean azure tenant.
Trying to run your business like some perfect unhackable thing is probably not sustainable, especially if you are small. The next best thing is limiting blast radius and making sure you can pick yourself up off the floor quickly enough.
>The activity we have observed has been attributed to a threat group that Microsoft tracks as DEV-0537, also known as LAPSUS$
i guess nothing leaves redmond before getting hit with the marketing sugar stick.
>Unlike most activity groups that stay under the radar, DEV-0537 doesn’t seem to cover its tracks.
yes, its almost as though the pending narrative of the insidious black hat hacker we're trying to spin is proving difficult from the get go.
>Microsoft also found instances where the group successfully gained access to target organizations through recruited employees
so the downside to "bullshit jobs" is they become a threat vector. the countermeasure is to pay more and offer better benefits or...do what Okta did and just ignore the whole thing while players like Cloudflare try to stack the fallout squarely on you, and players like Microsoft try to make a buck off a crisis you cant handle.
Suppose a hacker group get their hands on a valuable exploit. They are like LAPSUS$ and are going to make the exploit public access, but also want to make some $. I wonder if the following scheme is theoretically possible:
1. Put the encrypted exploit file into some kind of Blockchain
2. Create a crypto wallet and announce a fundraising
3. As soon as the sum on the wallet reaches, say, $5M, the exploit is automatically and consensually decrypted by the Blockchain system and released to the public.
Exactly right, this is why a market for assassination is unlikely to ever really emerge as a result of blockchain tech. People seem to forget that the only reason it works is because of the structured aligning of potentially competing objectives. There really isn't a way to decentralize an escrow service... I mean, you could try to leverage all the participant's competing interests - but that is a massive presumption and it doesn't even address the question of how. Not through PoW, because turtles all the way down, and not through PoS, because lol Ripple.
I agree with you, but hackers sell exploits to others all the time? One can never be sure that hackers gonna send the actual exploit. You're right the scheme does not protect from that, my initial shower thought was more about the "release to the public" part, so the public can be certain about they will get something when the amount on the crypto wallet hits the threshold.
So, whether a blockchain is used or not, there's no way to know that I'll get what I paid for or an empty text file.
So the blockchain serves no purpose in this instance.
Asking people to send you money, and them trusting you'll send them the exploit is exactly the same and no blockchain is needed (except maybe the bitcoin one, since of course you don't want to use paypal)
Assuming you can establish a zero trust, publicly declared swap of crypto for said key... A smart contract could be established to act like a bounty program for this purpose and could be re-used for sharing other secrets.
You are basically asking me to send you $5M for a car (the exploit) supposedly parked into a garage (the encrypted exploit) whose location is stored on the blockchain (the encryption key).
At the time of me sending you $5M, I do not know whether or not there actually is a car in this garage.
All I can do is trust your words that there is a car in this garage.
Now that I sent you $5M, the blockchain contract reveals the location of the garage.
Now that I have the location of the garage, I make my way there; 2 things can happen:
- I open the garage, there is a car inside
- I open the garage, there is no car inside
At what point in this whole transaction did putting the location of the garage on the blockchain help me (the buyer) in any way? What matters to me as a buyer is getting a car, not the assurance of _maybe getting a car_.
You could have sent me the location by email, fax, pigeon, blockchain contract, facebook messenger, telegram, signal, whatsapp, the outcome would be the same.
You have confirmed that the garage exists and that it will be opened when certain conditions are met without further human intervention. The alternative would not come with a guarentee of the above. Just because the entire process is not zero-trust, does not mean it is not an improvement of the status quo.
If this were to become a recurring endeavour, you can introduce reputation into the system and a refund mechanism if X of Y funds required to unlock the payload are not happy with the contents.
Trust. I know a blockchain is a zero trust network and all that, but if it is a trustworthy group that can prove ownership of an address/the exploit, then I'd think it could work.
I'm a blockchain hater as well, but I'm interested. What is a better platform for something like this, assuming that you trust the actor who owns the address?
> As soon as the sum on the wallet reaches, say, $5M, the exploit is automatically and consensually decrypted by the Blockchain system and released to the public.
For that, all nodes in the blockchain would need to be in possession of the decryption key - which would allow anyone to decrypt the secret as well.
I've been inspecting their dumps since the iPhone X leaks.
As it turns out, they got access to huawei, apple, nvidia, samsung, microsoft bing/maps/notes and probably (unconfirmed) vodafone, lge, impresa, mercadolibre and others.
They actively infiltrate organizations with Windows monoculture that never updates, most exploits they seem to have used were running on _really_ outdated systems that are targeting enterprise monoculture as well, like atlassian software, and pretty much everything with an ADS integration.
As I commented previously, it's likely that the SOCs (Security Operations Center) are part of this, too, because _if the certification_ of the targeted organizations isn't utter BS, then they must have caught an incident like this.
A server transferring more than 200GB to a single IP? C'mon, firewalls of the 90s detected that.
They also shamed okta in response to their blog post a lot for having wrong security in place, aka publicly accessible slack channels that have more than ~9k members, where even AWS secrets are posted regularly.
I mean, attack scenarios like this are bound to happen when management decides it's cheaper to hire an external SOC with VPN access for everything. As long as management thinks there has to be a ROI of investment into the blueteam/cyber defense part, nothing will change.
Better laws have to be written to enforce the incentive, because clearly, even Microsoft was too late to catch them in the act.
This is what you get for being "cloud native" and there's no way to prevent it. Infrastructure out of your control has to be treated as such, everyone in cybersec was talking about the dangers of using AWS and hire SOCs and external support teams from India for decades already, and nobody listened.
None of the issues here are related to being cloud native. If you are completely on-prem, but your employees are remote the same social engineering attacks would work on your organization.
The issue is with companies having absolutely garbage security practices.
While I agree with the sentiment there, lapsus didn't get initial access via social engineering.
They used social engineering to stay ahead of detection.
My point is about that you have no way to isolate a cloud based build bot. No way to detect a threat, because AWS doesn't offer any APIs or pcap streams or anything. It's literally a black box from the perspective of an SOC.
And that is the security responsibility nobody wants to be part of. Neither AWS and neither the organization that rents the machine.
> My point is about that you have no way to isolate a cloud based build bot. No way to detect a threat, because AWS doesn't offer any APIs or pcap streams or anything. It's literally a black box from the perspective of an SOC.
It turns out there is a Gateway Load Balancer that "can be used for security inspection, compliance, policy controls, and other networking services."
Yeah, no. In the ideal on premise setup you can shutdown remote access on the network level. You're not an admin? You cannot reach admin tools from your VPN. You can also always offer a personal two factor authentication for exemptions, introduce four-eyes policies, etc.
Of course, this is complicated and a big part of the reason cloud is so successful is that the engineers capable of doing complicated stuff are hired by the cloud providers. My pet theory is that FAANG pay so high salaries to prevent competition and home-grown solutions as much as possible by attracting the top x% of the talent pool.
I think by starting small. Setup a raspberry pi for home automation, etc. Maybe connect a NAS or so. Add your own dedicated server with domain name, etc. My hypothesis is that you learn much more effective by learning the basics because 99% of the shiny fancy cloud-scale tools deal with inconveniences that occur when you do basic stuff in a larger setting.
"A server transferring more than 200GB to a single IP? C'mon, firewalls of the 90s detected that."
Do you have examples of firewalls that support this and setup guides? I'm using pfSense but haven't come across anything that would flag traffic in this manner. There is snort I guess? Just curious. Always looking to improve my own protection :)
I am using the FreeBSD firewall, which is simpler than pfSense, so I am pretty certain that this must be possible in most, if not all, firewalls.
For any rule of the firewall, which may match any kind of traffic, you may set the rule to update a counter. The values of the counters will accumulate the total quantity of data transferred until the counters are reset (periodically), and you may choose to store the values in a log for later inspection or you can use a shell script to interrogate the firewall periodically and compare the counter values with thresholds and send alerts when they are exceeded.
As long as the firewall rules include the option for a "count" or similar action, which I believe to be available in all of them, then you can use the firewall to monitor the amount of data that passes through the network.
Even when a firewall does not provide the length of the packets, just counting the number of packets is enough to estimate the maximum amount of data that might have been transferred, because you know the maximum packet sizes on your interfaces.
They're basically the ones watching alert dashboards like suricata all day, investigating issues and trying to isolate systems that have been compromised.
So they're the operational part of an IT security department. Sometimes they're also called CSIRT.
Frequently combined as SOC / SIEM, the acronym for Security Information and Event Management.
Dataflow analysis can be provided by for example Cisco Smart Network Application (SNA). A system that displays an overview of the network topology including detailed monitoring information for devices and traffic.
If a single IP produces that much traffic to a build system, and is an external resident IP...it's 100% either a DDoS attempt or a malicious actor that is in the process of exfiltrating data.
There's not a single scenario where a traffic this size to an internal buildbot machine to/from a single unknown resident IP is legit.
You download 18.51 megabits per second over a cellular connection for 24 hours straight? Do you really? Because somebody, either you or your service provider, is doing it wrong.
I've taken multiple cellphone connections and sorta merged their connections using a hacky workaround in windows to force it to happen even without a proper setting for it. (Note: Not a bridge. Merged. Sorta.)
Just setup each phone as a shared access point through multiple usb ports and let er rip. After doing what I was mentioning though that is.
It's rather simple too, but I don't know how best to explain how it works. BUT I can tell you what I did.
I disable and re-enable each connection one after the other back and forth multiple times until they all are send and receiving data at the same time. This seems to work best when there is already an active connection going. I would use this for Steam downloads a lot.
And yes, all my files I send and receive this way would come and go proper and working. I was doing this back when cell speeds were more like 3mbit/second out in the rural areas. That kind of thing. So getting 10mbit out in the boonies was like living in the city all of a sudden.
nah, i know people that abuse the crap out of 4G/5G from their home cell network all the time.
they would use a terrestrial connection but the National Broadband Network in Australia is arguably incomplete (putting aside the parts that are supposed to be complete are often very crap).
One of my workmates lives 25 mins drive from the WA capital city CBD and has just recently bought Starlink because he couldn't get fast enough or reliable enough internet speeds at home for WFH purposes (Ms Teams is bad but not THAT BAD)
For a moment there I thought you and sennight were the same user. Heh.
Yeah, Canada is pretty bad too when it comes to having the last mile rolled out to every last town and village. We have tower based internet for those usually. If you are really out in the boonies, you might have something based on Xplornet's tech. Having starlink is only a new thing recently; and that's apparently touch and go for people as well.
Ironically, if you don't play video games at all, Cellular is the best kind of connection you can get out there in some places. Otherwise, get a dish and point it at the nearest tower. It's still basically a giant wifi connection at that point, so the latency will not be the best; but it's far better than Xplornet or cellular ever will be on that front. The only thing better than tower, is a proper line going to the house.
One of my old homes was supposed to have said line installed to that town as part of a province wide thing going on at the time. Sasktel was supposed to get EVERYONE connected with cable and internet...
That never happened. They stuck to the cities and bigger towns close to the backbone, and that was it. They then sold access to companies putting up towers and said "that's a wrap".
That said... they had to contend with the rail lines to get past them on multiple occasions, and that gets expensive.
Dunno enough about the situation in Australia to even pretend, but I imagine it could work if there is a coverage mandate plus taxpayer funding going to the carriers. In such a scenario it would be basically impossible to not massively overprovision bandwidth in rural areas, and the carriers would have zero incentive to cap data rates (beyond upselling - but there is a limit). Everywhere else though... telecoms are notorious for under provisioning to the point where major news events can result in the network failing under the load of too many people simultaneously wanting to make a call. Wireless took that to the next level. And it isn't simply a hardware issue, if they lease more backhaul capacity than they need - they burn money. So they're highly incentivized to screw with the top 20% of their heavy subscribers everywhere but the middle of nowhere.
So aus has the NBN which in theory covers everyone through a combination of FTTP, FTTN and high speed, high latency satellite.
Unfortunately the NBN organisation itself is a massive boondoggle (see also Australian politics for the last 10+ years) and their idea of 'coverage' often could be beaten handily by a pigeon and some string.
So people pay through the nose for alternatives like Telstra mobile broadband or starlink and given the current neoliberal firesale gov I'd say that's an intentional outcome...
Did they look at some of the direct wireless options? several of those in WA that put their dishes up on existing masts and just bounce around a high speed signal.
In the channel they posted lots of specs and design documents from the iPhone X. So technically it could also have been a vendor in the supply chain (as of now).
They announced a leak at the time, but deleted the torrent files in their posts/comments a couple times and I was too late to verify.
Lapsus is from latin. And yes, it could mean blunder. But apart from being Latin the word is used in the English language as well. So why would it be "likely from Russian"?
Because you can't talk about organized cybersecurity breaches of American corporations without someone blaming it on Russia because they drank the Kool Aid that only state-sponsored organizations have the skills to beat corporate cybersecurity drones.
I’m sorry to say but this article reads very bad even if the authors had the best intentions. If they don’t feel like sharing actual data on what they found then why waste peoples time with that tone.
Sounds like someone just rushed to press the Publish button.
From what Microsoft said DEV-0537 is opportunistic; they are Purchasing credentials and session tokens from criminal underground forums
Paying employees at targeted organizations (or suppliers/business partners) for access to credentials and MFA approval
Searching public code repositories for exposed credentials
and they are exploiting publicly known exploits in order to infiltrate organizations.
Like somebody already mentioned they are similar to LulzSec in a way they are partially financially motivated, partially hacktivist and partially bragging around but all in all they are doing it for the "lulz".