The cyber criminal organization LAPSUS$ has claimed responsibility for a number of high-profile attacks. Did they give away too much in their bragging? It could be since the City of London police say they have arrested seven teenagers in relation to the gang.

Meanwhile, a 16-year-old from Oxford who goes by the handle ‘White’ or ‘Breachbase’ has been named by rival threat actors and researchers as being connected with LAPSUS$. It has not been confirmed if White was among those arrested.

On the LAPSUS$ Telegram channel, the group has boasted about breaching brands such as Microsoft, NVIDIA, Samsung, Mercado Libre, Vodafone and, more recently, Ubisoft. The rival attackers allege White made up to $14M from his individual attacks.

Highly Disruptive LAPSUS$ Threat

LAPSUS$ is a particularly disruptive group known for unusual activity, such as polling their subscribers about “What should we leak next?”. The group recently offered three options. The first was to leak 200GB worth of Vodafone source code. The second choice was the source code and databases of Portuguese media corporation Impresa. Lastly, they offered to leak the source code for MercadoLibre and MercadoPago, both Argentinian e-commerce companies.

Apparently, the gang doesn’t make empty threats. In the Samsung incident, LAPSUS$ actors posted a 190GB torrent file to their Telegram channel. The group claimed the file contained confidential source code that exposed Samsung device security systems. The compromised systems reportedly included smartphone biometric authentication algorithms and bootloader source code to bypass OS controls.

On March 24, Microsoft confirmed that the LAPSUS$ group had also breached its company. Threat actors posted a torrent file containing partial source code from Bing, Bing Maps and Cortana. The attackers breached a single employee’s account, granting them “limited access” to Microsoft’s systems and allowing source code theft. According to Microsoft, the attack did not compromise customer code or data.

Attacks and Counterattacks

In the NVIDIA attack, parts of the company were offline for two days. Attackers also managed to exfiltrate around 1TB of sensitive data. That included files like GPU driver and GPU firmware source codes. Later, LAPSUS$ threatened to “help mining and gaming community” by leaking a bypass solution for the Lite Hash Rate GPU hash rate limiter. The rogue actors then announced that the full LHR V2 workaround for anything between GA102-GA104 was for sale.

Later, the gang allegedly leaked password hashes from “all NVIDIA employees”. They threatened to release another terabyte of data unless the company paid “a fee”.

In another twist to the story, NVIDIA allegedly struck back at LAPSUS$ and encrypted a virtual machine the attacker group uses. LAPSUS$ stated they had backup files installed.

Teenage LAPSUS$ Leader Doxxed

According to the BBC report, a rival attacker website doxxed White after an apparent dispute. The rivals posted White’s real name, address and social media pictures. The BBC also reports that the rival group posted a synopsis about White, saying: “After a few years his net worth accumulated to well over 300BTC [close to $14m]… [he] now is affiliated with a wannabe ransomware group known as ‘Lapsus$’, who has been extorting & ‘hacking’ several organizations.”

As reported by Bloomberg, cybersecurity researchers have been tracking White for nearly a year and linked him to LAPSUS$ and other attacks.

“We’ve had his name since the middle of last year and we identified him before the doxxing,” said Allison Nixon, chief research officer at cybersecurity investigation company Unit 221B.

Only time will tell if the recent arrest will bring a halt to criminal activity associated with the LAPSUS$ operation.

More from News

Abuse of Privilege Enabled Long-Term DIB Organization Hack

From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to an advanced cyberattack on a Defense Industrial Base (DIB) organization’s enterprise network. During that time frame, advanced persistent threat (APT) adversaries used an open-source toolkit called Impacket to breach the environment and further penetrate the organization’s network. Even worse, CISA reported that multiple APT groups may have hacked into the organization’s network. Data breaches such as these are almost always the result of compromised endpoints…

Costa Rica State of Emergency Declared After Ransomware Attacks

In late April, after weeks of major ransomware attacks, Costa Rica declared a state of emergency. Newly-elected President Rodrigo Chaves took this measure, usually reserved to deal with natural disasters, to free up the government to react more decisively to the incident. The Russian-based Conti gang has claimed they launched the attack. Meanwhile, the U.S. Department of State offered a $10 million reward for information that leads to finding anyone holding a key leadership role in the Conti gang. The…

Ransomware-as-a-Service Transforms Gangs Into Businesses

Malware-as-a-Service is getting easier and easier to access, according to a recent threat report. Self-named the ‘Eternity Project’, this cyber threat group offers services from a Tor website and on their Telegram channel. They sell a wide variety of malware in an organized fashion, including stealer, clipper, worm, miner, ransomware and distributed-denial-of-service bot services. This alarms many security professionals. With Eternity, even inexperienced cyber criminals can target victims with a customized threat offering. Eternity sells malware for $90 to $490.…

UK Health System Email Accounts Hijacked to Steal Microsoft Logins

Last summer, I noticed password reset notices in my email account that I didn’t send. I quickly realized that I was the victim of an account takeover. This happens when someone illegally gains access to your account, typically through compromised credentials. I changed my email password right away and learned that my passwords to other accounts had already been changed. To make cleanup even more fun, I found out that the attackers had created new accounts using my credentials. Account…