The company confirmed this information, saying that a few weeks ago, hackers penetrated the company’s network, gained access to internal tools and source codes. It is emphasized that at the same time, the attackers were unable to steal confidential information about T-Mobile customers.

Let me remind you that we have already talked about the strange hack group Lapsus$, which blackmailed Nvidia, leaked the source codes of Microsoft, as well as Ubisoft, and Samsung, compromised Okta, but fame for hackers was clearly more important than financial gain.

The well-known investigative journalist Brian Krebs, who has specialized in information security for many years and has repeatedly exposed various hack groups and helped law enforcement officers in their investigations, reported on the T-Mobile hack.

Krebs, who got into the private chats of the group members, writes that the attack on T-Mobile took place some time ago, even before the arrests of seven alleged Lapsus$ members, which UK law enforcement agencies reported at the end of March 2022.

According to the chat logs, the VPN credentials that the group used for initial access were purchased and stored on the dark web, on sites such as Russian Market. The goal of the attackers was to compromise the accounts of T-Mobile employees, which ultimately allowed them to carry out SIM-swap attacks.

In addition to accessing an internal customer account management tool called Atlas, the hackers’ discussions suggest they gained access to Slack and Bitbucket accounts, using the latter to download 30,000 source code repositories.

At the same time, hackers were looking for T-Mobile accounts associated with the FBI and the US Department of Defence in Atlas (see screenshot below). To their disappointment, it turned out that additional verification procedures were needed to work with such accounts.

Interestingly, after failing to keep records of the FBI and other intelligence agencies, the leader of the group, a 17-year-old teenager from the UK, known by the nicknames White, WhiteDoxbin and Oklaqq, told other hackers to focus on stealing source codes and breaking the VPN connection with Atlas, which WhiteDoxbin considered “garbage”. The other members of the band were extremely unhappy with this decision.

After the publication of Krebs’s article, T-Mobile representatives confirmed the hack. The company stated:

The post T-Mobile Admits that Lapsus$ Hack Group Stole Its Source Codes appeared first on Gridinsoft Blog.

The operation was reportedly prepared by the authorities of the United States, Great Britain, Sweden, Germany, Portugal and Romania for more than a year.

The US Department of Justice writes that the site administrator, known by the nickname Omnipotent, was arrested on January 31, 2022 in the UK, and he has already been charged. He was in custody from the time of his arrest until the completion of the extradition proceedings.

Since 21-year-old Portuguese citizen Diogo Santos Coelho was hiding behind the pseudonym Omnipotent, it turns out that he launched RaidForums when he was 14 years old, since the site has been running since 2015.

Law enforcers seized the domains hosting RaidForums: raidforums.com, rf.ws and raid.lol.

According to statistics from the US Department of Justice, in total, more than 10 billion unique records from hundreds of hacked databases were put up for sale on the marketplace, including those affecting people living in the United States. In turn, Europol reports that RaidForums had more than 500,000 users and was “one of the largest hacker forums in the world.” It is worth adding here that we are talking about English-language resources.

It is not yet known how long the investigation took overall, but law enforcement seems to have managed to get a pretty clear picture of the RaidForums hierarchy. The Europol press released notes that the people who supported the work of RaidForums were engaged in administration, money laundering, stolen and uploaded data to the site, and also bought stolen information.

At the same time, Diogo Santos Coelho, mentioned above, allegedly controlled RaidForums from January 1, 2015, that is, from the very beginning, and managed the site with the support of several administrators, organizing a structure to promote the purchase and sale of stolen data. To make a profit, the forum charged users for various membership levels and sold credits that allowed members to gain access to more privileged areas of the site or to stolen data posted on the forum.

Coelho also acted as an intermediary and guarantor between the parties, making transactions, undertaking to see that buyers and sellers would honor the agreements.

Bleeping Computer writes that back in February 2022, criminals and security researchers suspected that RaidForums had been taken over by law enforcement, as the site began displaying a login form on every page. When trying to enter the site, it simply showed the login page again, and many suspected that the site was taken over and this was a phishing attack by law enforcement agencies who are trying to get the attackers’ credentials.

On February 27, 2022, the raidforums.com DNS servers changed completely to jocelyn.ns.cloudflare.com and plato.ns.cloudflare.com, which only convinced the hackers that they were right. The fact is that in the past these DNS servers were used by other sites seized by the authorities, including weleakinfo.com and doublevpn.com.

RaidForums, which appeared back in 2015, has recently become widely known due to ransomware operators who leaked data stolen from victims to the site in order to force them to pay a ransom. For example, this tactic was previously used by Babuk and Lapsus$ operators.

However, earlier, when the resource was not so popular, its community specialized in swatting, as well as raiding, which The US Department of Justice describes it as “publishing or sending a huge number of contacts to the online medium that the victim uses to communicate.”

In recent years, the marketplace has been a favorite place for hackers to sell stolen databases or simply share them for free with other forum members.

Let me remind you that we also talked about the fact that Hydra Market Shut Down by the German Authorities.

The post Law enforcement officers closed the hacker resource RaidForums appeared first on Gridinsoft Blog.

As evidence of the hack, the hackers first posted a screenshot showing a list of folders with the names of various companies from around the world, including Arcserve, Banco Galicia, BNP Paribas Cardif, Citibanamex, DHL, Stifel, and others.

A little later, the group also posted a torrent file containing 70 GB of source code allegedly stolen from Globant, as well as administrator passwords associated with Atlassian firms (including Confluence, Jira and Crucible).

According to the research group VX-Underground, Lapsus$ members mocked the Globant administrators and separately published some of the passwords they used. The problem is that credentials like “admin” or “admin2” are hardly reliable, easy to guess, and often reused across the company.

Representatives of Globant have not yet commented on the incident.

Let me remind you that lately the Lapsus$ hacker group has become a real cyber sensation and does not leave the front pages of IT publications around the world. These guys blackmailed Nvidia, leaked the source codes of Ubisoft, Microsoft and Samsung and compromised Okta. As the media and experts now report, the leader of this hack group may be a 17-year-old teenager from the UK, moreover, he was recently arrested by the authorities.

As Flashpoint experts noted, Lapsus $ differs from other extortion groups in that it does not encrypt the files of its victims, but penetrates the company’s network, gains access to important files, steals them, and then threatens to leak data if it is not paid a ransom.

It should also be added that Lapsus$ does not have its own “leak site” where it publishes or sells the data of its victims. All leaks and communication “with the public” take place on the hackers’ Telegram channel, which has more than 52,000 subscribers, or by mail, and the stolen data is even distributed via torrents.

In total, 19 companies and organizations have become victims of Lapsus$, while 15 of them are located in Latin America and Portugal.

The post Hack group Lapsus$ returned from “vacation” and announced the hacking of Globant appeared first on Gridinsoft Blog.

Between January 16 and 21, 2022, hackers had access to a support engineer’s laptop and the company now admits the hack should have been made public sooner.

In the company blog, Okta representatives expressed regret that they did not disclose details about the Lapsus$ hack earlier, and also shared a detailed chronology of the incident and its investigation. I note that after the news of the hack, the company’s shares fell by 20% in less than a week.

As it turns out, the hack affected Sitel, Okta’s third-party customer support provider.

Okta says it made a mistake at this stage, because ultimately Okta itself is responsible for its contracted service providers (such as Sitel). The statement also emphasizes that in January the scale of the incident was seriously underestimated, because then it seemed that everything was limited to an unsuccessful attempt to take over the account of a Sitel support engineer. In any case, the cybercriminalists involved in the investigation of the incident came to such conclusions.

Okta reiterated that the attack affected only 2.5% (366 companies) of customers, and also emphasized that the compromised Sitel engineer account could be used to repeatedly reset user passwords, but could not be used to log into their accounts, had limited access to Jira tickets and support systems, and was unable to upload, create, or delete customer records.

As a reminder, the hackers last week disputed Okta’s claim that the hack was generally unsuccessful, claiming that they” logged into the portal [as] superuser with the ability to reset the password and MFA for ~ 95% of clients.”

Let me also remind you that we were told that Lapsus$ hack group stole the source codes of Microsoft products.

The post Management of Okta admitted they didn’t immediately disclose details about the Lapsus$ attack in vain appeared first on Gridinsoft Blog.

The hack group Lapsus$ has only recently entered the scene, but has already compromised Microsoft, Nvidia, Ubisoft and other major companies.

One of the latest messages in the hack group’s Telegram channel states that some Lapsus$ members are going on vacation until the end of March.

The publication Bleeping Computer notes that the exact size and composition of the group is unknown, but it seems that the members of the group speak English, Russian, Turkish, German and Portuguese.

Almost simultaneously with the appearance of this message on the hacker channel, the BBC reported that earlier this week the police in London arrested seven people aged 16 to 21 “in connection with the investigation into the activities of the hacker group.”

The names of the detainees were not disclosed, but this week the media already wrote that the real identities of some Lapsus $ participants were declassified by rival hackers. In particular, according to Bloomberg, the leader of the group is a 17-year-old teenager from English Oxford, who uses the nicknames White and Breachbase.

It is believed that due to his hacking activity, he accumulated more than 300 BTC (about $13 million at the current exchange rate), including by swapping SIM cards. Along with this information, his real name, home address, date of birth, educational details, and even personal photos with his family were published.

Apparently, the alleged leader of the group was among those arrested (among them is a teenager from Oxford). His father told the TV channel that he did not know what his son was doing:

Let me remind you that we also said that Hackers attack hackers by spreading malware on underground forums.

The post British police announced the arrest of several members of the Lapsus$ group appeared first on Gridinsoft Blog.

Over the weekend, a screenshot appeared on the Lapsus$ Telegram channel demonstrating that hackers attacked the Microsoft Azure DevOps server and got to the sources of Bing, Cortana and various other projects of the company.

On Monday evening, the group then torrented a 9 GB 7zip archive containing the source code for more than 250 projects that they say are owned by Microsoft.

Lapsus$ states that the archive contains 90% of the Bing source code and approximately 45% of Bing Maps and Cortana code, while Bleeping Computer reports that the uncompressed archive contains approximately 37 GB of source code. At the same time, according to the hackers, only part of the source code got into the dump.

Researchers that have already examined the leak confirm that the files are indeed internal Microsoft source codes. Additionally, some of the projects are reported to contain emails and documentation that were clearly used by Microsoft engineers internally to publish mobile apps.

Apparently, these projects are intended for web infrastructure, sites or mobile applications, and the sources for desktops, including Windows, Windows Server and Microsoft Office, have not been published.

Microsoft representatives say they already know about this leak, and the company is investigating what happened.

Soon, representatives of Microsoft, which tracked Lapsus$ under the identifier DEV-0537, confirmed the compromise.

Let me remind you that the Lapsus$ extortionist group breaks into corporate systems and steals source codes, customer lists, databases and other valuable information from companies. At the same time, attackers very rarely use a ransomware. More often, hackers simply extort ransoms from victims, demanding money, and otherwise cajoling to publish the stolen data. Previously, Lapsus$ has already attacked such giants as Samsung, Nvidia, Vodafone, Ubisoft and Mercado Libre.

Let me remind you that I also talked about the fact that 0-day vulnerability remained unpatched for 2 years due to Microsoft bug bounty issues, and also that US and UK accused China for attacks on Microsoft Exchange servers.

The post Lapsus$ hack group stole the source codes of Microsoft products appeared first on Gridinsoft Blog.