In recent months, LAPSUS$, a cybercriminal group, has taken responsibility for several high-profile attacks on technology companies including :
- T-Mobile (April 23, 2022)
- Globant
- Okta
- Ubisoft
- Samsung
- Nvidia
- Microsoft
- Vodafone
LAPSUS$ also managed to launch an attack on the Brazilian Ministry of Health with ransomware.
While high-profile cyber-attacks are certainly nothing new, there are several things that make LAPSUS$ unique.
- The alleged mastermind of these attacks and several other alleged accomplices were all teenagers.
- Unlike more traditional ransomware gangs, LAPSUS$ has a very strong social media presence.
- The gang is most well-known for its data exfiltration. The gang has stolen source code, proprietary information, and leaked it on the Internet.
LAPSUS$ stolen credentials
In the case of Nvidia, for example, the attackers gained access to hundreds of gigabytes of proprietary data, including information about chips that the company is developing. Perhaps more disturbing; however, LAPSUS$ claims to have stolen the credentials of thousands of Nvidia employees. Various tech news websites report different numbers. It is unclear how many credentials were stolen. However, Specops was able to obtain approximately 30,000 passwords that were compromised in the breach.
Cyber extortion
There are two main takeaways that organizations should pay close attention to from the LAPSUS$ attack. The first is that the LAPSUS$ ransomware attack clearly shows that cybercriminals no longer just want to run simple ransomware operations. Rather than just encrypting data as has so often been done in the past, LAPSUS$ seems far more focused on cyber extortion. LAPSUS$ is able to gain access to the most important intellectual property of an organisation and threatens to release that information if a ransom payment is not made.
A technology company could conceivably suffer irreparable harm by having its source code, product roadmap, or research and development data leaked, especially if that data were to be made available to competitors.
Although the LAPSUS$ attack has so far been primarily targeted at technology companies, it is possible for any company to be a victim. As such, all companies must carefully consider what they can be doing to keep their most sensitive data out of the hands of cybercriminals.
Weak passwords at play
Another important lesson from the LAPSUS$ attack was that, while it is not clear how attackers got access to victim networks’ networks and their identities are unknown, the Nvidia credentials list that was obtained by Specops clearly shows that employees used weak passwords. Some of these passwords were common words (welcome, password, September, etc. These passwords are highly susceptible to dictionary attacks. Many other passwords included the company name as a part of the password (nvidia3d, mynvidia3d, etc.). One employee went as far as using the name Nvidia for their password.
While it’s possible for attackers to use a different initial penetration technique than one that relied on harvested credentials, it is more probable that they used weak credentials as a key part of the attack.
This, of course, raises the question of what other companies can do to prevent their employees from using similarly weak passwords, making the organization vulnerable to attack. Setting up a password policy that requires lengthy and complex passwords is a good start, but there is more that companies should be doing.
Protecting your own organization from a similar attack
One key measure that organizations can use to prevent the use of weak passwords is to create a custom dictionary of words or phrases that are not permitted to be used as a part of the password. In the Nvidia attack employees used Nvidia as either their password or as part of their password. To prevent passwords containing Nvidia from being entered, a custom dictionary might have been created.
Another, even more important way that an organization can prevent the use of weak passwords is to create a policy preventing users from using any password that is known to have been leaked. A password that has been leaked is typically hashed, and then the hash is added to a list of password hashes. If an attacker acquires a password hash they can simply compare the hash to the hash database, quickly revealing the password without having to perform a time-consuming brute force or dictionary-based crack.
Specops Password Policy gives admins the tools that they need in order to ensure that users avoid using weak passwords or passwords that are known to have been compromised. Specops makes it easy to create a password policy that complies with common password standards, such as those defined by NIST. In addition to setting length and complexity requirements, however, Specops allows admins to create dictionaries of words that are not to be used as a part of a password. Specops also has a massive database that contains billions of passwords leaked. This database can automatically check passwords against users, so that they are not able to use passwords known to be compromised.
