Lapsus$ Breached T-Mobile Network
T-Mobile has confirmed that the Lapsus$ extortion group accessed its systems “several weeks ago.” The company says that it has taken steps to block the attackers’ access to the T-Mobile network and has disabled the credentials that were used in the attack.
A key challenge for the Lapsus$ gang was getting devices enrolled or otherwise under their control so they could get SMS or other OTP messages to allow authentication for their targeted services. Lapsus$ success hinges on buying or socially engineering credentials for services they need. They were leveraging the T-Mobile credentials to complete hassle-free SIM swaps which transferred the devices phone number to a hacker controlled device. While leveraging the credentials of your cellular provider bypasses some controls designed to prevent swapping, it's still important to login to your account and make sure that you've enabled the controls at your disposal to raise the bar as much as possible.
Rumors about this breach had been circulating for weeks, so it is refreshing to see T-Mobile confirming it. Like with the NVIDIA breach, Lapsus$ relied on purchasing credentials and generating MFA requests to the user (a new MITRE ATT&CK Technique published yesterday with version 11, T1621. https://attack.mitre.org/techniques/T1621/
The attacks targeted T-Mobile employees with provisioning privileges. This gave them the capability to SIM swap" to change the destination phone for a cell phone number, a number perhaps used for strong authentication. To resist such attacks T-Mobile should ensure that all such privileged employees use token-based (not SMS based) strong authentication. It should also confirm all number change orders both in and out of band and delay implementation of such orders. Other employers should consider token-based authentication for employees in sensitive positions. End users and consumers, especially those using their phones for strong authentication, should contact their carries immediately if they do not receive messages or calls that they expect or cannot make outgoing calls.
William Hugh Murray
Read more in
KrebsOnSecurity: Leaked Chats Show LAPSUS$ Stole T-Mobile Source Code
Threatpost: Lapsus$ Hackers Target T-Mobile
Bleeping Computer: T-Mobile confirms Lapsus$ hackers breached internal systems