May 4, 2022 By Jonathan Reed 2 min read

The cyber criminal organization LAPSUS$ has claimed responsibility for a number of high-profile attacks. Did they give away too much in their bragging? It could be since the City of London police say they have arrested seven teenagers in relation to the gang.

Meanwhile, a 16-year-old from Oxford who goes by the handle ‘White’ or ‘Breachbase’ has been named by rival threat actors and researchers as being connected with LAPSUS$. It has not been confirmed if White was among those arrested.

On the LAPSUS$ Telegram channel, the group has boasted about breaching brands such as Microsoft, NVIDIA, Samsung, Mercado Libre, Vodafone and, more recently, Ubisoft. The rival attackers allege White made up to $14M from his individual attacks.

Highly disruptive LAPSUS$ threat

LAPSUS$ is a particularly disruptive group known for unusual activity, such as polling their subscribers about “What should we leak next?”. The group recently offered three options. The first was to leak 200GB worth of Vodafone source code. The second choice was the source code and databases of Portuguese media corporation Impresa. Lastly, they offered to leak the source code for MercadoLibre and MercadoPago, both Argentinian e-commerce companies.

Apparently, the gang doesn’t make empty threats. In the Samsung incident, LAPSUS$ actors posted a 190GB torrent file to their Telegram channel. The group claimed the file contained confidential source code that exposed Samsung device security systems. The compromised systems reportedly included smartphone biometric authentication algorithms and bootloader source code to bypass OS controls.

On March 24, Microsoft confirmed that the LAPSUS$ group had also breached its company. Threat actors posted a torrent file containing partial source code from Bing, Bing Maps and Cortana. The attackers breached a single employee’s account, granting them “limited access” to Microsoft’s systems and allowing source code theft. According to Microsoft, the attack did not compromise customer code or data.

Attacks and counterattacks

In the NVIDIA attack, parts of the company were offline for two days. Attackers also managed to exfiltrate around 1TB of sensitive data. That included files like GPU driver and GPU firmware source codes. Later, LAPSUS$ threatened to “help mining and gaming community” by leaking a bypass solution for the Lite Hash Rate GPU hash rate limiter. The rogue actors then announced that the full LHR V2 workaround for anything between GA102-GA104 was for sale.

Later, the gang allegedly leaked password hashes from “all NVIDIA employees”. They threatened to release another terabyte of data unless the company paid “a fee”.

In another twist to the story, NVIDIA allegedly struck back at LAPSUS$ and encrypted a virtual machine the attacker group uses. LAPSUS$ stated they had backup files installed.

Teenage LAPSUS$ leader doxxed

According to the BBC report, a rival attacker website doxxed White after an apparent dispute. The rivals posted White’s real name, address and social media pictures. The BBC also reports that the rival group posted a synopsis about White, saying: “After a few years his net worth accumulated to well over 300BTC [close to $14m]… [he] now is affiliated with a wannabe ransomware group known as ‘Lapsus$’, who has been extorting & ‘hacking’ several organizations.”

As reported by Bloomberg, cybersecurity researchers have been tracking White for nearly a year and linked him to LAPSUS$ and other attacks.

“We’ve had his name since the middle of last year and we identified him before the doxxing,” said Allison Nixon, chief research officer at cybersecurity investigation company Unit 221B.

Only time will tell if the recent arrest will bring a halt to criminal activity associated with the LAPSUS$ operation.

More from News

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

Ransomware attack on Rhode Island health system exposes data of hundreds of thousands

3 min read - Rhode Island is grappling with the fallout of a significant ransomware attack that has compromised the personal information of hundreds of thousands of residents enrolled in the state’s health and social services programs. Officials confirmed the attack on the RIBridges system—the state’s central platform for benefits like Medicaid and SNAP—after hackers infiltrated the system on December 5, planting malicious software and threatening to release sensitive data unless a ransom is paid. Governor Dan McKee, addressing the media, called the attack…

FBI, CISA issue warning for cross Apple-Android texting

3 min read - CISA and the FBI recently released a joint statement that the People's Republic of China (PRC) is targeting commercial telecommunications infrastructure as part of a significant cyber espionage campaign. As a result, the agencies released a joint guide, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, with best practices organizations and agencies should adopt to protect against this espionage threat. According to the statement, PRC-affiliated actors compromised networks at multiple telecommunication companies. They stole customer call records data as well…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today