British cops arrest seven in Lapsus$ crime gang probe British cops investigating a cyber-crime group have made a string of arrests. Though City of London Police gave few details on Thursday, officers are said to be probing the notorious extortionware gang Lapsus$, and have detained and released seven people aged 16 to 21. In a statement, the force said: "Seven people between the …
If they're so good at what they did to infiltrate your corporate intranet & make off with hundreds of gigs of data, perhaps you should hire them to harden said networks from similar attacks? Then, if they decide they enjoy their new job, perhaps you can put them to work debugging your source code to remove all the security holes you've obviously missed.
Just a thought... =-J
/Snarky Sarcasm.
"Then, if they decide they enjoy their new job, perhaps you can put them to work debugging your source code to remove all the security holes you've obviously missed."
As they seem to have worked substantially if not entirely via stolen credentials I don't think that would be productive and given their lack of operational security I don't think I'd trust them to harden anything.
Lapsus$ were successful primarily through extensive research and social engineering. One of their tactics was to gather a long list of employee names and the like, and then swamp help desks with requests for password resets.
Their differences from other prominent ransomware groups include going after high-profile targets, doing the work themselves rather than recruiting an affiliate network, and making more focused efforts rather than simply going for low-hanging fruit.
I'm not sure about successful. From the point of view of someone with experience on the catching side I'd say a successful criminal is one who makes some money, however little, and doesn't get caught. Get caught and they're a failure.
This lot were advertising for people to supply them with inside information! That's practically ensuring they were going to get caught. This puts them on the same level as the toe-rag who ran away from the scene and lost his cap with his name written inside it or the one who through away his jacket with his library card in the pocket. Yes, they accumulated a lot of Bitcoin but invited capture.
Adding MFA does improve security.
Putting all your eggs in one basket, though, not so much.
The problem with Okta etc is that they're also an authentication provider - they handle your username/password as well as your 2FA. Which makes them both a juicy target and a single point of failure.
But, the counter argument is: do you leave authentication to a specialist, who has the expertise on hand to detect, prevent and deal with stuff like this, or do you keep it in house where you don't have the resources?
Using a 3rd party supplier also helps to potentially avoid a facebook like outage where your own engineers can't get in to fix things because your inhouse auth is down.
But, Okta's failure to tell customers about a suspected compromise really does undermine both arguments, if you can't trust your auth provider....
My mates and I, aged about 12, we once smashed up a wooden desk in the park ( don't ask! ) and we thought we were so hard for doing it and making that mess. That was until this 6' 6" copper pulled up in his panda-car, gave us the bollocking of our lives and said we had 15 mins to pile up the mess we'd made by the bins or he was calling in help and we'd be in the cells for the rest of the day! I've never moved so damned fast in my life! Apart from some silliness here and there in my late teens, never so much as got a parking ticket in my life since that day.
Buddy, you can do better than try.
Take his kit and sell it. Be done with it.
Not blaming the parents for not knowing what was cooking. I spent a whole lot of time on my PC way back when I was in school, and my mother wouldn't have had a clue what I was doing. It was in the days before the Internet, so no hacking involved, I was learning how to program.
But now that you know, you should act. No pussy-footing around.
I'm tired of seeing an autism diagnosis being used as mitigation in hacking and even violent crime.
Perhaps, but it looks as if it could be very relevant for some crimes. For example, since autistic people can have difficulty reading and understanding social queue, they are significantly more likely to be the victims and, later on, perpetrators of child sexual abuse.
My cynicism is triggered, though, when the diagnosis only occurs as part of the defence case in a criminal trial.
Quote ring-leader's father: "He's never talked about any hacking, but he is very good on computers and spends a lot of time on the computer. I always thought he was playing games. We're going to try to stop him from going on computers."
Classic...
He was a good lad....
...he only ever liked playing with guns and shooting small furry animals for fun.
...he only ever like driving his car at 60 through 30 zones as he liked the rush.
Which leads to....
"He was quiet guy, lived on his own, kept to himslef. never bothered anyone. Who could have imagined what happened? You have to be careful with the quiet ones."
From the story: ""We've had his name since the middle of last year and we identified him before the doxxing,"" So they let him continue being a super criminal for over 6 months, for what? wait till they cost people 2 million, 6 million, how much crime do you have to do before you get arrested? oh 14 million,,,, crazy governments....... no wonder we have so much crime, they might as well encourage it, after all, when they do get arrested they will be "sent home" and told not to use the computer,,, really??? what the hell.
In a lot of cases like this you may have the name and details but you don't have _enough_ evidence to make an arrest until additional surveillance allows all the dots to be connected
The law takes a dim view of preemptively kicking down doors to go on fishing trips for evidence - and for good reason
What these boys did should not be condoned. Yet, their actions are those of bright inquisitive youth. Their motivation can be understood. It was fun, and if a few Bitcoin tokens can be collected along the way, so much the better.
Obviously, they must be set on a different course. However, the long winded punitive legal system benefits neither the boys nor anyone else. Find them challenging computer-related tasks. Show them too possibilities for intellectual challenge and entertainment not involving keyboards. Keep a firm but kindly eye on them.
The 'victims' of crime have no practicable recourse to compensation other than recovery of missing Bitcoin. Punitive action of destructive nature is merely vengeful.
The supposedly innocent victims are in the same boat as persons whose household doors and windows are left open whilst valuable items are on display. Put forth temptation and don't be surprised when other people succumb to it. Furthermore it is unlikely many of the 'victims' stand upon high moral ground regarding other aspects of their lives/businesses.
There's little gained by concentrating on the alleged wickedness of the burglar after having failed to engage a competent locksmith.
Krebs has a good write-up.
There are some interesting point in the article. One is that the alleged Lapsus$ leader, the Oxford teen described in this story (whose name has been leaked but I'll follow convention and omit it), was doxxed by members of Doxbin, a doxxing site he purchased a year or so ago. Apparently Doxbin members were not happy with his administration of the site, and he agreed to sell it, but then dumped the content, greatly reducing its value.
But various organizations such as Unit 221B say they knew who he was before the public doxxing. Apparently some security researchers and the police have had him under investigation for months while they gathered evidence, and 221B's Allison Nixon mentioned alerting some victims before Lapsus$ attacked them.
Most of the big ransomware organizations are run in a fairly corporatist manner, as shown by the Conti leaks for example, or are run by governments in a bureaucratic or military style. Consequently they optimize for income or damage. Lapsus$ seems to have been going for reputation and press attention, which is not a great strategy for staying in business if you're running a criminal enterprise.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
