Not so long ago, VPNs were considered the state-of-the-art in cybersecurity. Encrypted end to end, they allowed users to securely connect to corporate networks from home or while on the road.
Cybersecurity has come a long way, however, and a recent attack on T-Mobile highlights the danger of relying on VPNs to protect sensitive corporate data.
LAPSUS$ and T-Mobile’s Stolen Credentials
Cybersecurity blog KrebsOnSecurity recently posted that they had obtained private chat messages from cybercrime gang LAPSUS$ showing they had breached T-Mobile in March.
The chats reveal that LAPSUS$ leadership was divided over what to do with their access. Some wanted to use it to gain access to T-Mobile tools that would allow them to do SIM swaps. With a SIM swap, hackers could intercept any of the victim’s phone traffic, including authorization codes for multi factor authorization (MFA) and password reset authorizations. This would yield tremendous opportunities for fraud, including gaining access to sensitive systems.
Others in the LAPSUS$ leadership wanted to stay away from SIM swaps out of concern that they could draw unwanted attention if they hit a government account. Instead, they wanted to focus on downloading T-Mobile software. And in fact, one attacker managed to download 30,000 source code repositories from T-Mobile.
The chats didn’t reveal why the attackers were so keen to get their hands on the source code. It’s possible that someone had hired them to steal it. They might also have thought that the source code would be useful for finding security weaknesses that could open additional ways to hack T-Mobile or its customers.
The chats also revealed just how easy it was for LAPSUS$ to gain access to T-Mobile’s VPN. They simply purchased initial access from sites such as Russian Market, which sell access to compromised systems.
A Focus on IP
In the space of three months, the UK-based LAPSUS$ gang rose to prominence in the cybercrime world, with high profile attacks on Electronic Arts, Microsoft, NVIDIA, Samsung, Vodafone, and others. It’s 16-year-old (!) ringleader is purported to have amassed $14 million in Bitcoin from hacking.
In their attacks, LAPSUS$ consistently opts to exfiltrate data and destroy parts of their targets’ network environments. As in the T-Mobile scenario, rather than stealing personal information, LAPSUS$ usually focuses on taking the source code and intellectual property of companies they breach.
Time to Retire (or at least secure!) that VPN
The ease with which a group of teenage hackers were able to secure VPN credentials and steal source code and access sensitive systems should be a wakeup call to system administrators everywhere.
A VPN with a complex password is no longer enough. Even more robust user authentication, including multi factor authentication, is insufficient to secure VPNs.
A better path is to move to a comprehensive Zero Trust Network Access solution which is generally included in Secure Access Service Edge platforms such as ZTEdge. This is approach is much more suitable for today’s environment, where workers may be connecting from home, from the office or from any other location, and accessing data that may be on the corporate network or on desktops. A robust SASE solution will provide secure access to cloud-based resources as well, for consistent Zero Trust security, regardless of where the users are working and where the data and apps that they need can be found.
The ease with which LAPSUS$ could swap SIMs also highlights the danger of relying on text message-based multi-factor authentication alone as a security technique. A multi-layered defense with secure identity and access management and passwordless authentication, like those built into the ZTEdge SASE platform, are important options for organization concerned about similar threats targeting corporate networks.