T-Mobile was the victim of a series of data breaches carried out by the Lapsus$ cybercrime group in March. In a post from Friday, security site KrebsOnSecurity revealed leaked chat messages between members of the Lapsus$ gang in which they discussed targeting T-Mobile employees with social engineering tactics designed to give them access to a victim’s mobile phone number. Known as SIM swapping, this tactic reassigns a phone number to a device owned by the attackers, allowing them to intercept text messages and phone calls for password resets and multi-factor authentication codes.
SEE: Mobile device security policy (TechRepublic Premium)
Using T-Mobile VPN credentials purchased on the dark web, the Lapsus$ members were able to gain access to Atlas, a T-Mobile tool for managing customer accounts, according to KrebsOnSecurity. As some of the gang members argued over whether to focus on the SIM swapping tactic, one person used the access to run an automated script that downloaded more than 30,000 source code repositories from T-Mobile.
In response to the incidents, T-Mobile shared the following statement with KrebsOnSecurity:
“Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software,” said T-Mobile. “The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value. Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete.”
Surfacing around December of 2021, Lapsus$ has made a name for itself with a blend of different tactics, including buying stolen data on the dark web, scanning public code repositories for exposed credentials, using password stealers, paying employees to share sensitive data and employing social engineering tricks to gain access to confidential accounts. Since then, the group has targeted a number of high profile companies, such as Microsoft, Nvidia, Samsung and Okta.
“These high-profile attacks from Lapsus$ highlight just how dangerous stolen credentials and social engineering attacks still remain,” said Ivan Righi, senior cyber threat intelligence analyst at Digital Shadows. “Lapsus$ attacks aren’t highly sophisticated. They usually initiate their attacks by using stolen credentials and then attempt to bypass multi-factor authentication using social engineering schemes. It is likely that Lapsus may be acquiring these credentials from underground marketplaces and AVC sites, such as the Russian market, which offer a variety of credentials for sale at a low price.”
Ironically, the gang’s overt methods of attack and fondness for drawing attention to itself got it into trouble with law enforcement. Following the latest attacks, several active members of Lapsus$ were arrested in March. Despite these key arrests, though, the group still seems to be in business as other members have picked up the slack by staging additional attacks.
The methods used by Lapsus$ also clearly show where organizations are still failing when it comes to cybersecurity.
“Unsurprisingly, stolen credentials continue to be a preferred method of compromise,” said Tim Wade, deputy CTO at Vectra. “Perhaps what is surprising for many organizations is just how many risks exist around credentials and how often an inability to effectively gauge risks to their posture or detect and respond when something goes awry gives an adversary an opportunity to step up to the batter’s box. Organizations need to intentionally think long and hard at not only how they’ll manage risks on the front edge, but how they’ll uncover and expel an adversary post-compromise.”
Many organizations focus on security tools and technologies but neglect to consider the user.
“The TTPs used by Lapsus$ are not novel, but it does highlight a common weakness in cybersecurity — the user,” Righi said. “Even the most secure technical controls may be bypassed by threat actors who are highly skilled in social engineering, and users who use the same credentials across multiple accounts may be putting their organizations at risk.”
More organizations are using multi-factor authentication to protect their user accounts. But the type of MFA implemented makes a big difference in security. The attacks staged by Lapsus$ point to the hazards of using SMS messages or phone calls for MFA, according to Righi, as the group has relied on phone-based social engineering schemes to compromise accounts.