Skip to main content
        • Products

          Q-Scout

          Leading edge mobile device security delivering dynamic, actionable intelligence for fleet-wide protection applications

          Q-MAST

          Comprehensive testing for developers who build, use, and manage mobile applications

          Q-Vet

          Mobile app vetting for curated and enterprise managed app stores

        • Solutions by Want

          Mobile Application Security Testing

          Advanced analysis utilizing static, dynamic & interactive analysis of Android and iOS mobile applications

          BYOD

          Secure devices connecting to the enterprise network in the work and live anywhere world

          App Vetting

          Transparent and high-confidence results using pass/fail security evidence

          End Users

          Airtight digital security that empowers you to make informed decisions on what apps you do and do not give access to

          Regulatory Compliance

          Automated compliance testing for the latest privacy and security standards

        • Untitled Document

          All Resources

          Blogs

          The latest industry news in cybersecurity’s ever-evolving landscape

          Newsroom

          Press releases, news stories and media highlights from Quokka

          Webinars

          Videos and content where you can learn about the latest threats, trends and issues in cybersecurity

          Whitepapers

          Insights and helpful assets for exploring cybersecurity and digital security

          Datasheets

          An in-depth description of Quokka solutions

        • Partners

          Learn more about Quokka’s technology partners

        • Company

          Careers

          There are jobs - and then there is a career at Quokka

          Industries

          Solutions designed for security needs of your organization

          Leadership

          Quokka’s global management team comprised of security experts and industry leaders

  • Support

What Does Lapsus$ Mean for Security?

Alex Lisle, CTO | April 26, 2022

Alex Lisle, CTO

April 26, 2022

A few weeks ago, I was talking to an analyst at a big research and consulting firm. It was a unique interaction because we didn’t seem to understand each other when it came to cybersecurity. We were discussing breaches, something which I think most people in the cybersecurity world should have common ground on, but he was struggling to understand what I was talking about whenever I mentioned the term breaches. Finally, I asked him to define what he thought a security breach entailed – the answer was illuminating. His definition was about a hacker bypassing the firewall, doing some type of east to west migration and downloading the ‘crown jewels’. In other words, he believed a breach is leaking millions of usernames and passwords or thousands of credit card details. A common misconception security breaches are defined; as a direct means of getting access to monetary gains in some way.

This type of breach is valid; it absolutely happens and is devastating to both the company and the users whose data or financial accounts have been compromised. But when I talk about security breaches in our mobile day and age, it goes beyond the firewall, I mean straight up identity and data, not only monetary. Knowledge is power and the beholder of all that data and knowledge is king.

The cybergang Lapsus$ wanted user identity and data when they hacked T-Mobile. The young hackers from Lapsus$ compromised T-Mobile employee accounts and stole credentials, which they leveraged to grab source code and access internal tools. With this access they were able to reassign phone numbers, intercept texts and calls, and attempted to access accounts from the FBI and Department of Defense. Essentially, the 16 and 17y/o Lapsus$ had the power to reassign my number to themselves and access all of my personal accounts, texts, emails, even health data, which makes the breach more real and personal.

During our complicated discussion, the research and consulting analyst assured me that with VDI and various other tools, this type of breach doesn’t and can’t happen. I can’t help but wonder how he feels about that statement now?

How we work has changed drastically and not just because of COVID. Ranging from SaaS, Mobile, PaaS, AWS, Azure, and beyond, how we consume company resources and where data is stored has fundamentally changed. We no longer sit at a desktop using a local network to utilize internal tools with a Critix client, accessing sharepoint servers, and deploying software to servers in your basement.

Your internal tools are most likely web apps which are much easier and intuitive to use. For example: You’re deploying code into AWS / Azure / ‘Name Cloud Provider Here’. Company sales are in Salesforce, customer support is in zendesk, HR is in paylocity and the company’s source code is in GitHub / GitLab / BitBucket. In the end, you are probably desperately trying to tie all this together leveraging Okta or Azure Active Directory. Truthfully you have no real idea of the amount of SaaS services you’re leveraging.

Today, most employees are accessing everything off a laptop, iPad, Chromebook, and/or mobile device. With the variety of different ways to access work information, there’s a good chance employees aren’t using a VPN while accessing company data and also most likely not looking to log into a VDI. A large reason for not using these types of security tools is that it’s known to make everything feel slow, clunky and overall an unpleasant experience. If you’ve ever had to interact with such systems you know exactly what I mean. I’ve noticed that a favorite pass-time for employees is to find and share various hacks on how to bypass logging in via VPN or the VDI.

How we consume and deploy resources results in the threat model being fundamentally changed. A stolen credential to an identity provider (IdP) gives the hacker a directory of internal services they can access and log into. It’s not difficult to guess what vanity url your okta / IdP is based on when examining the email of the credential. Once you obtain that, they’re really off to the races, the hacker doesn’t need to look for a SQL injection to leverage and dump your database; essentially you’ve made a bunch of great, easy to use, webapps to help the hacker navigate the data they want and make the changes.

How easy is this type of hack? Well a bunch of teenagers just got caught by authorities because they executed a very similar hack on some of the biggest companies in the world; who supposedly claim they take security very seriously. So seriously that one of them acted as a gatekeeper for credentials. Let me say it one more time to make sure it sets in, they were not hacked by a set of seasoned cyber criminals from some nation state but a group of teenagers.

How we consume and deploy services has changed and the way we think about security needs to keep pace to reflect that. Companies and governments should embrace open responsible disclosure of breaches and customers should demand it. The series of Lapsus$ attacks shows that we have a long way to go in prioritizing security.

I think it’s time to give that analyst a ring and restart the conversation with security being top of mind.

Leave a Reply

Close Menu