Lapsus$ gang breaches T-Mobile for source code.
KrebsOnSecurity reports that internal Lapsus$ gang chatter the week before some of the group's (alleged) members were arrested last month indicated that the gang had made multiple incursions into T-Mobile's systems. For reasons that are unclear, Lapsus$ exhibited a strong interest in source code. They compromised employee accounts either by social engineering or--mark this--buying them from Russophone initial access brokers. T-Mobile told KrebsOnSecurity, "Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software. The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value. Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete.”
KrebsOnSecurity reports Lapsus$ members were found to continuously target T-Mobile employees. Having access to employee accounts allows for easy “SIM swaps,” which reassign a target’s mobile number to a device they controlled, thereby being able to access texts and phone calls. The major issue with being able to intercept phone communications is that links for password resets and sites requiring multi-factor authentication often utilize texts or calls for verification.
It was found that if the gang was cut off from an employee’s credentials, they’d just buy another one. Logs from March 19, 2022 show that Lapsus$ had gained access to Atlas, an internal T-Mobile tool for customer account management, and the gang attempted to access government accounts, but they required further verification. Eventually, the leader of Lapsus$ decided to cut the VPN connection completely, but they continued to steal source ..
Support the originator by clicking the read the rest link below.
