In latest months, a cybercriminal gang generally known as LAPSUS$ has claimed accountability for a variety of high-profile assaults in opposition to expertise corporations, together with:
- T-Mobile (April 23, 2022)
In addition to those assaults, LAPSUS$ was additionally capable of efficiently launch a ransomware assault in opposition to the Brazilian Ministry of Health.
While high-profile cyber-attacks are definitely nothing new, there are a number of issues that make LAPSUS$ distinctive.
- The alleged mastermind of those assaults and a number of other different alleged accomplices have been all youngsters.
- Unlike extra conventional ransomware gangs, LAPSUS$ has a really sturdy social media presence.
- The gang is greatest recognized for data exfiltration. It has stolen supply code and different proprietary data and has typically leaked this data on the Internet.
LAPSUS$ stolen credentials
In the case of Nvidia, for instance, the attackers gained entry to a whole bunch of gigabytes of proprietary data, together with details about chips that the corporate is creating. Perhaps extra disturbing; nonetheless, LAPSUS$ claims to have stolen the credentials of 1000’s of Nvidia workers. The precise variety of credentials stolen is considerably unclear, with numerous tech information websites reporting differing numbers. However, Specops was capable of acquire roughly 30,000 passwords that have been compromised within the breach.
The rise of cyber extortion
There are two main takeaways from the LAPSUS$ assaults that organizations should take note of. First, the LAPSUS$ assaults clearly illustrate that gangs of cybercriminals are now not content material to carry out run-of-the-mill ransomware assaults. Rather than simply encrypting data as has so typically been performed up to now, LAPSUS$ appears way more targeted on cyber extortion. LAPSUS$ positive factors entry to a corporation’s Most worthy mental property and threatens to leak that data until a ransom is paid.
A expertise firm may conceivably undergo irreparable hurt by having its supply code, product roadmap, or analysis and improvement data leaked, particularly if that data have been to be made out there to rivals.
Even although the LAPSUS$ assaults have up to now targeted totally on expertise corporations, any group may conceivably develop into a sufferer of such an assault. As such, all corporations should rigorously contemplate what they are often doing to maintain their most delicate data out of the palms of cybercriminals.
Weak passwords at play
The different essential takeaway from the LAPSUS$ assaults was that whereas there isn’t a definitive details about how the attackers gained entry to their sufferer’s networks, the listing of leaked Nvidia credentials that was acquired by Specops clearly reveals that many workers have been utilizing extraordinarily weak passwords. Some of those passwords have been widespread phrases (welcome, password, September, and so forth.), that are extraordinarily prone to dictionary assaults. Many different passwords included the corporate identify as part of the password (nvidia3d, mynvidia3d, and so forth.). At least one worker even went as far as to make use of the phrase Nvidia as their password!
While it’s completely potential that the attackers used an preliminary penetration technique that was not based mostly on using harvested credentials, it’s way more probably that these weak credentials performed a pivotal function within the assault.
This, in fact, raises the query of what different corporations can do to forestall their workers from utilizing equally weak passwords, making the group weak to assault. Setting up a password coverage that requires prolonged and sophisticated passwords is an efficient begin, however there may be extra that corporations ought to be doing.
Protecting your individual group from an analogous assault
One key measure that organizations can use to forestall using weak passwords is to create a customized dictionary of phrases or phrases that aren’t permitted for use as part of the password. Remember that within the Nvidia assault, workers typically used the phrase Nvidia both as their password or as a element of their password. A customized dictionary may have been used to forestall any password from containing the phrase Nvidia.
Another, much more essential approach that a corporation can forestall using weak passwords is to create a coverage stopping customers from utilizing any password that’s recognized to have been leaked. When a password is leaked, that password is hashed and the hash is often added to a database of password hashes. If an attacker acquires a password hash they will merely evaluate the hash to the hash database, rapidly revealing the password with out having to carry out a time-consuming brute power or dictionary-based crack.
Specops Password Policy offers admins the instruments that they want with the intention to be sure that customers keep away from utilizing weak passwords or passwords which can be recognized to have been compromised. Specops makes it straightforward to create a password coverage that complies with widespread password requirements, similar to these outlined by NIST. In addition to setting size and complexity necessities, nonetheless, Specops permits admins to create dictionaries of phrases that aren’t for use as part of a password. Additionally, Specops maintains a database of billions of leaked passwords. User’s passwords could be routinely checked in opposition to this database, thereby stopping customers from utilizing a password that’s recognized to have been compromised.