T-Mobile confirmed that the extortion group Lapsus$ gains access to their system “several weeks ago”.
The telecom giant responded to a report by a journalist Brian Krebs, who accessed the internal chats from the private Telegram channel of the core Lapsus$ gang members. The company added that it has mitigated the breach by terminating the hacker’s group access to its network and disabled the stolen credentials that were used in the breach.
Lapsus$ is a cybergang that came into prominence when it waged a ransomware attack against the Brazilian Ministry of Health in Feb 2021, compromising the data of COVID 19 vaccination data of millions. More recently, in March, the City of London Police arrested seven people suspected of being connected to the gang.
Private chats uncovered by Krebs revealed that the Lapsus$ hacking group get hold of the T-Mobile VPN credentials on illicit platforms like the Russian Market. Using these credentials Lapsus$ members can get access to the company’s internal tools like – Atlas an internal T-Mobile tool for managing customer accounts. It would help them to conduct a “Sim-Swapping” Attack – In this attack, the hacker hijacks the victim’s number by transferring it to the device owned by the attacker, this enables the hackers to obtain sensitive information such as phone number or any message sent for multi-factor authentication.
After gaining access to ATLAS, Lapsus$ hackers also attempted to compromise the T-Mobile accounts associated with the FBI and Department of Defense but were unsuccessful as an additional verification method was linked to those accounts.
“Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software,” said a spokesperson from T-Mobile.
T-Mobile said that despite the access attempts to the internal system ‘Atlas’ no sensitive information was leaked. “The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value,” T-Mobile added.
“Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete.”
The attacks carried out by Lapsus$ are not sophisticated, usually initiated by the stolen credentials from underground marketplaces, such as the Russian Market, and then an attempt to bypass the multi-factor authentication using social-engineering schemes.
“From a security pro who fought LAPSUS$: It forces us to shift thinking about insider access. Nation states want longer, strategic access; ransomware groups want lateral movement. LAPSUS$ asks: What can this account get me in the next 6 hours? We haven’t optimized to defend that.” said Brian Krebs in a tweet on Mar 24, 2022.
From a security pro who fought LAPSUS$: It forces us to shift thinking about insider access. Nation states want longer, strategic access; ransomware groups want lateral movement. LAPSUS$ asks: What can this account get me in the next 6 hours? We haven’t optimized to defend that.
— briankrebs (@briankrebs) March 24, 2022
Organizations should gear up to protect from the groups like Lapsus$, the unconventional techniques used by Lapsus$ to target the major organizations can be emulated by other groups too. Insider threat is brought into the limelight again by Lapsus$ and forces the organization to ponder upon the real challenge it possesses.
“Threats like Lapsus$ won’t go away. There is a lot of money to be made and ‘hacker clout’ to be gained”, said Karl Sigler, Senior Security Research Manager, Trustwave SpiderLabs.
Several Attacks on T-Mobile Over the Years
T-Mobile suffered six different data breaches since 2018. A leaky API caused a data breach for 2.3 million customers in 2018. One year later in 2019 1.26 million prepaid were affected by a breach.
In Aug 2021 T-Mobile suffered another data breach, where more than 40 million customer data were stolen. The account belongs to the former or prospective customer who has applied for credit with the company.
The records of the customer were up for the sale in the same year, the breached data include Personal Identifiable Information such as – Social Security Numbers, Phone Numbers and Security PINs.
Reported By: Sagar Tiwari, an independent security researcher and technical writer.