Monthly Breach Report: April 2022 Edition

Hacking and hacking back, March was certainly a busy month for cyber-attacks. From Microsoft to TransUnion South Africa, these are some of the biggest threats cybersecurity saw last month.

Notorious Hacker Gang Lapsus$ Posts Stolen Source Code from Microsoft . . .

In March, the Lapsus$ hacking group, infamous for its “pure extortion and destruction model” operations, breached Microsoft’s Azure DevOps server, stealing source code from three of its services: Bing, Bing Maps, and Cortana. Microsoft confirmed the breach and asserted no customer code or data was compromised.

Lapsus$ attackers entered the network through a single Microsoft employee account, according to Microsoft. Soon after the breach, the thieves boasted of the crime via its Telegram channel, according to BleepingComputer. The post included a torrent file exposing partial source code, which the hackers claimed contained “90% of the source code for Bing and approximately 45% of the code for Bing Maps and Cortana.”  According to Microsoft, its cybersecurity response team busted the Lapsus$ attackers in the middle of their illegal activity.

In a company blog, Microsoft’s Threat Intelligence Center, MSTIC, noted that the hacking group, also known as “DEV-0537,” has targeted major companies and governments globally, across all industries. MSTIC says that DEV-0537 is unique in its tactics in that the group doesn’t bother to cover its tracks and brags openly of “their attacks on social media.” They also advertise “their intent to buy credentials from employees of target organizations.” These announcements, says MSTIC, are part of an effort to recruit employees, suppliers, and business partners of  organizations they are targeting. The group offers payments to willing accomplices for information and access to targeted networks.

The overall goal, said MSTIC, is to “gain elevated access” which often results in extortion: “Tactics and objectives indicate this is a cybercriminal actor motivated by theft and destruction.”
Once inside a company’s network, the hackers then use “publicly available tools to explore an organization’s user accounts” to gain further access, according to TechCrunch. Lapsus$ often targets “development and collaboration platforms, such as Jira, Slack and Microsoft Teams, where further credentials are stolen.” The group uses this information to “gain access to source code repositories on GitLab, GitHub and Azure DevOps, as it did with the attack on Microsoft.”

Over the last several months, the Lapsus$ gang has made a name for itself by compromising other well-known companies, including Nvidia, Samsung, and Okta. The group’s notorious crimes have attracted a fan base. Its Telegram channels, which announce new leaks and attacks, have over 33,000 subscribers. The group also actively communicates with more than 8,000 participants on its chat channel.

Sources

• TechCrunch
• Microsoft Security blog
• BleepingComputer

. . . And Lapsus$ Hacker Group Claims Nvidia Hacked Back

The Lapsus$ ransomware gang also recently claimed responsibility for stealing 1 TB of data from tech giant Nvidia. The group then leaked the data on its Telegram channel, which included credentials for all Nvidia employees. Nvidia confirmed the hackers connected to its network in late February via access to the employee VPN, specifically exploiting a PC requirement to be enrolled in Mobile Device Management. Lapsus$ later announced on Telegram that Nvidia responded by infiltrating their network with ransomware but was unsuccessful: “Yes [Nvidia] successfully encrypted the data. However we have a backup and it’s safe from scum! We are not hacked by competitor groups or any sorts.”

Brett Callow, a threat analyst at Emsisoft, later tweeted, “While hacking back may not be common, it’s certainly not unheard of either. Ransoming the ransomers can obviously prevent them from leaking stolen data.” Nvidia confirmed the hack but did not admit to hacking back.

Although, cybersecurity experts and the media often refer to Lapsus$ as a hacker “gang,” a recent report from Bloomberg asserts that the Lapsus$ attacks have now been traced “to a 16-year-old living at his mother’s house near Oxford, England.” The news outlet did not name the hacker, only that they use the online handle “White” and “breachbase.” The minor has not been publicly accused by law enforcement of any wrongdoing.

Sources

• BleepingComputer
• @BrettCallow (Twitter)
• Security Affairs
• Bloomberg News

Brazilian N4ughtySec Group Sets Ransomware Attack on South African Credit Bureau

Brazilian hackers calling themselves the “N4ughtySec Group” recently hacked the network of TransUnion South Africa. They are demanding a ransom of $15 million. The group claims to have gained access to TransUnion’s network through an employee’s weak password. On its website, TransUnion acknowledged the ransomware attack and stated that 3 million South African consumers and 600K businesses were affected. The company warns that the following information has been exposed:

For consumers:

• name, ID number, date of birth, gender, telephone number, email address, address, marital status and information, identity of employer and duration of employment, vehicle finance contract number, and VIN numbers.
• spouse information, passport numbers, credit or insurance scores may be impacted.

Each consumer may have a combination of different fields impacted, depending on what data was available.

For businesses:

• Company registration number, TransUnion business reference number, business name, business type (public, sole proprietor, etc.), business address, business contact number, email address, business credit scores, industry sector classification code and description; principal ID number, principal name and surname, and principal position (director, trustee, representative, member, etc.).

Each business may have a combination of different fields impacted, depending on what data was available. TransUnion warns affected companies that “criminals can use this information to trick you or your employees into disclosing your confidential banking details,” which could then be used for “application fraud or the changing of banking details via an email compromise.”

South African news site ITWeb reports that TransUnion has no plans to pay the ransom.

Sources

• CyberScoop
• ITWeb
• TransUnion

Hacktivist “Anonymous” Dedicates Attack on Russian Pipeline Company to Hillary Clinton

In February, Ukraine’s deputy prime minister Mykhailo Fedorov announced the creation of a volunteer-led cyber army, enlisting the aid of “hacktivists” worldwide to take digital actions against Russia. The group, known as the “IT Army,” has conducted multiple attacks across Russian industries and organizations, including DDoS attacks on the Moscow Stock Exchange and the Kremlin’s website, according to The Verge.

One of the group’s latest attacks was by “Anonymous,” targeting Transneft, Russia’s juggernaut state-controlled oil pipeline. The Verge reports “Anonymous” published a link on the leak-hosting website “Distributed Denial of Secrets,” which granted access to 79GB of emails from the Omega Company, the research and development division of Transneft. The emails include “file attachments containing invoices and product shipment details and image files showing server racks and other equipment configurations.”

In addition to sharing the stolen emails, “Anonymous” dedicated the hack to Hillary Clinton, who, during a recent interview with MSNBC, encouraged cyberattacks against Russia. She stated:

People who love freedom and understand that our way of life depends on supporting those who believe in freedom as well, could be engaged in cyber support of those in the streets in Russia.

Hacktivist groups supporting Ukraine have warned companies that continue to do business with Russia that they should “cease operations with Russia or face consequences.”

Sources

• daily dot
• SecurityWeek
• The Verge

US Public School Security Breach Exposes Data of 820,000 NYC Students

The personal information of 820,000 current and former students of the New York City Public School System (NYCPSS) has been hacked, according to NBC New York. The breach occurred within the system’s online grading and attendance system, Skedula and PupilPath. Both platforms belong to California-based Illuminate Education, which has acknowledged that the information was compromised due to its cybersecurity protocols. The company misrepresented its cybersecurity measures “by certifying that it encrypts all student data when in fact the company left some of it unencrypted,” reports NY Daily News. In the state of NY, leaving such data unprotected is illegal. The NYPSS halted use of both platforms while the scope and source of the breach was assessed. As of press time, the criminals responsible for the attack had not been identified.

The U.S. Department of Education (DOE) reported that compromised data includes:

• names, birthdays, ethnicities, home languages, and student ID numbers of current and former public-school students going back to the 2016-17 school year
• school services received, including special education services
• class and teacher schedules
• the names of students who receive free lunch

Illuminate waited two months before notifying the school system of the breach. The company has agreed to allow the DOE to review its cybersecurity safeguards to determine if any laws were broken and to “to verify its cybersecurity safeguards,” reports the Daily News. Doug Levin, of K-12 Security Information Exchange, stated that many cybersecurity incidents in schools “originate with software vendors.”

Sources

• NBC New York
• New York Daily News
• StateScoop

Viasat’s Broadband Service in Ukraine Knocked Out by “AcidRain” Malware

On February 24, the same day that Russia invaded Ukraine, the California-based satellite communications giant Viasat reported a cyber-attack causing network outages for broadband customers across Ukraine and Europe. The outage was initially surmised by Viasat to be an attack on the ground infrastructure of Viasat’s KA-SAT satellite network in Ukraine. The company later confirmed details of the breach in an incident report summary, which noted that “a targeted denial of service attack was first detected when high volumes of focused, malicious traffic made it difficult for many modems to remain online. The traffic emanated from several SurfBeam2 and SurfBeam 2+ modems and/or associated customer premise equipment physically located within Ukraine.”

Cybersecurity research firm SentinelLABS followed up on Viasat’s assessments, identifying the specific culprit disabling modems in Ukraine as a new ELF-MIPS malware they dubbed “AcidRain.” The malware was designed to wipe modems and routers. The company asserted that AcidRain is “the seventh wiper malware associated with the Russian invasion of Ukraine.” Viasat confirmed the cyber researcher’s findings in a Tweet to an editor at TechCrunch:

The analysis in the SentinelLABS report regarding the ukrop binary is consistent with the facts in our report—specifically, SentinelLABS identifies the destructive executable that was run on the modems using a legitimate management command as Viasat previously described.

SentinelLABS also stated that AcidRain shares similarities with a VPNFilter stage 3 destructive plugin: “In 2018, the FBI and Department of Justice attributed the . . . campaign to the Russian government.” Viasat said that no customer data was compromised and that it is still working to bring customers back online.

Sources

• PC Mag
• SentinelLABS
• @zackwhittaker (TechCrunch tech editor Twitter account)
• ZDNet

Data breaches are expensive and time-consuming to unravel. Keep your company out of data breach headlines with help from PKWARE. See a demo of our full end-to-end discovery and protection solution.