Les Bell
Blog entry by Les Bell
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Lapsus$ Hacker Finds Out
As we reported back in September last year, a Oxfordshire teenager was arrested on suspicion of being a key player in attacks on Rockstar Games and Uber. The teenager, now 18, has been identified as Arion Kurtaj, a key member of the Lapsus$ ransomware gang who, along with other teenagers in the UK and Brazil, conducted social engineering and more technical lateral movement exploits in extortion attacks on Rockstar, Uber, Microsoft, BT, Nvidia and Cisco, among others. Along with another 17-year-old (who is still 17, and therefore cannot be named), Kurtaj was charged with counts of blackmail, fraud and offences under the UK's Computer Misuse Act.
Back in July, psychiatrists assessed Kurtaj as autistic and deemed him not fit to stand trial; however, a trial of the other teenager was commenced, during which the jury was asked to determine whether or not he had done the acts alleged, but not whether he did them with criminal intent. They found that he had. The other teenager was found guilty.
Both defendants were unable to resist the temptation to engage in cybercrime. Despite being arrested in January 2022, upon their release they breached Nvidia's systems, using a hired accomplice to call the company's help desk to obtain credentials. They also used MFA push fatigue attacks in order to get employees to verify their logins. They were re-arrested in late March 2022, but upon his release, Kurtaj broke his bail conditions by going online again - in fact, a few weeks after the City of London Police arrested and then released him, he accessed that police force's cloud storage.
So effective were the teenagers that the US DHS ordered its Cyber Safety Review Board to examine and report upon their attacks; their report was released earlier this month, with a number of key recommendations, including a move away from voice and SMS-based MFA in favour of phishing-resistant FIDO-compliant MFA methods.
The teenagers' alleged Brazilian accomplice was arrested in October and will doubtless stand trial in that jurisdiction. Despite the fact that Kurtaj was not fit to stand trial, and did not give evidence, he is remanded in custody and both he and the unnamed teenager will be sentenced by Her Honour Judge Lees at Southwark Crown Court at a later date.
City of London Police, On the evening of Thursday 22 September ..., tweet, 23 September 2022. Available online at https://twitter.com/CityPolice/status/1573281533665972225.
Tidy, Joe, Lapsus$: Court finds teenagers carried out hacking spree, BBC News, 23 August 2023. Available online at https://www.bbc.com/news/technology-66549159.Uncredited, Cisco Talos shares insights related to recent cyber attack on Cisco, blog post, 11 September 2022. Available online at https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html.
Cyber Safety Review Board, Review of the Attacks Associated with Lapsus$ and Related Threat Groups, technical report, 24 July 2023. Available online at https://www.cisa.gov/resources-tools/resources/review-attacks-associated-lapsus-and-related-threat-groups-report.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.