After suffering a breach earlier this month, the ride-share platform Uber said last week that it believes the infamous hacking group Lapsus$ was behind the attack. The incident was in line with the group's track record of using phishing to gain access to corporate accounts that can then be parlayed into broader access. Then on September 23, police in the United Kingdom said they had arrested an unnamed 17-year-old in Oxfordshire who seems to be one of the individuals previously arrested in connection to Lapsus$ in March.
Lapsus$, which may also have breached the Grand Theft Auto developer Rockstar in this latest hacking spree, has established itself in the pantheon of memorable hacking groups for breaching a slew of massive tech companies, including Microsoft, Nvidia, Okta, Samsung, and Ubisoft. They did so to make money, sure, but they also apparently wanted to take the digital-teen joyride of a lifetime. Researchers say that this wild and unpredictable streak is an important key to the group's success that should not be overlooked.
“Lapsus$ probably aren’t causing as much destruction as other actors with different motivations could, and I think that's the answer—they aren’t entirely motivated by money,” says Brett Callow, a threat analyst at the antivirus company Emsisoft. “They, therefore, attempt things that purely financially motivated cybercriminals wouldn’t. They are more likely to be adventurous and to try things—that may not have a payoff—just for the fun of it.”
This creative enthusiasm and flair for the dramatic is an important case study. While Lapsus$ seems to perpetrate crimes of opportunity rather than working under a mandate to target certain entities or achieve specific results, the way nation-state actors often do, their seemingly boundless success reveals just how many weaknesses are lurking in organizations around the world that have gone unexposed only because they weren't immediately useful to state-backed actors or cybercriminals.
“I find the Lapsus$ group significant, because they have highlighted systemic problems in real-world implementations of single sign-on and multifactor authentication,” says independent security researcher Bill Demirkapi. “The techniques that they've used in their attacks are nothing new, but what we're seeing is the widespread abuse of these weaknesses and a wakeup call to organizations.”
Lapsus$ breached Uber by targeting an individual contractor whose username and password had been compromised by another entity through a malware infection and was sold on the dark web, the company said. Lapsus$ repeatedly sent the victim multifactor authentication login notifications until they mistakenly approved access. In a previous, unrelated attack, Lapsus$ breached a contractor working with the authentication company Okta in an attempt to compromise organizations through the identity management provider. The tactics in both instances show that there are weaknesses in some multifactor authentication strategies and they highlight a downside to “single sign-on” schemes in which one carefully protected authentication process grants access to a slew of services. The benefit to organizations is that there's only one account to protect and manage instead of many, and this cuts down on weaknesses like password reuse. The drawback, though, is that if an attacker compromises a single-sign-on account, they gain access to multiple internal services within an organization at once.
“At the end of the day, the flexibility of how you can abuse corporate accounts to move laterally and pivot over to other applications in the cloud—there are just so many different ways that attackers can use enterprise credentials,” says Crane Hassold, director of threat intelligence at Abnormal Security and a former digital behavior analyst for the FBI. “That's why phishing is so extremely popular with cybercriminals, because of that return on investment.”
There are stronger ways to implement two-factor authentication, and the new generation of “password-less” login schemes or “Passkeys” from the industry FIDO2 standard promise a much less phishable future. But organizations need to actually start implementing these more robust protections so they're in place when a ransomware actor (or restless teen) starts poking around.
“Phishing is obviously a huge problem, and most of the things that we normally think of as multifactor authentication, like using a code generator app, are at least somewhat phishable, because you can trick someone into revealing the code,” says Jim Fenton, an independent identity privacy and security consultant. “But with push notifications, it’s just too easy to get people to click ‘accept.’ If you have to plug something directly into your computer to authenticate or use something integrated with your endpoint, like a biometric sensor, those are phishing-resistant technologies."
Keeping attackers from clawing their way into an organization through phishing isn't the only problem, though. As the Uber incident showed, once Lapsus$ had compromised one account to gain access, they were able to burrow deeper into Uber's systems, because they found credentials for internal tools lying around unprotected. Security is all about raising the barrier to entry, not eliminating all threats, so strong authentication on external-facing accounts would certainly have gone a long way toward stopping a group like Lapsus$. But organizations must still implement multiple lines of defense so there's a fallback in case one is breached.
In recent weeks, former Twitter security chief Peiter “Mudge” Zatko has publicly come out as a whistleblower against Twitter, testifying before a US Senate committee that the social media giant is woefully insecure. Zatko's claims—which Twitter denies—illuminate how high the cost could be when a company's internal defenses are lacking.
For its part, Lapsus$ may have a reputation as an outlandish and oddball actor, but researchers say that the extent of its success in compromising massive companies is not just remarkable but also disturbing.
“Lapsus$ has highlighted that the industry must take action against these weaknesses in common authentication implementations,” Demirkapi says. “In the short term we need to start by securing what we currently have, while in the longer term we must move toward forms of authentication that are secure by design.”
No wakeup call ever seems sufficiently dire to produce massive investment and quick, ubiquitous implementation of cybersecurity defenses, but with Lapsus$ organizations may have an additional motivation now that the group has shown the world just how much is possible if you're talented and have some time on your hands.
“Cybercriminal enterprises are exactly the same as legitimate businesses in the sense that they look at what other people are doing and emulate the strategies that prove successful,” Emsisoft's Callow says. “So the ransomware gangs and other operations will absolutely be looking at what Lapsus$ has done to see what they can learn.”
