Tenable security researcher Claire Tills released a report diving into LAPSUS$, the threat group that came into the limelight after notoriously breaching well-known organizations such as Microsoft, Samsung, T-Mobile, and NVIDIA.
We spoke with Claire about the report's findings, what makes LAPSUS$ a viable threat to organizations, and how to defend against potential attacks.
What makes LAPSUS$ different than the other groups? What are their affiliations?
The LAPSUS$ group is fairly unique in the ransomware ecosystem in a couple of ways. Most notably, it doesn’t actually trigger the requisite encryption malware, making them a pure extortion enterprise. It also has no known affiliations like the more professional ransomware groups that often rebrand and rebuild into one another — the DarkSide, REvil, Black Matter groups are great examples of this. While LAPSUS$ does not have any known ties to other threat groups, it still sought to recruit insiders at target organizations to provide access for a cut of the extortion payment.
Who are they targeting?
Throughout the group’s tenure, LAPSUS$ has targeted organizations in South America (particularly Brazil) and Portugal. However, the group eventually graduated to targeting major multinational technology companies. The primary takeaway from the group’s tactics is that any organization could be a potential target.
What are some of their most used techniques?
LAPSUS$, and other similar extortion groups, rely on social engineering for initial access, using phishing or help desk manipulation. Once the threat actors have gained access, they will seek to move laterally and elevate privileges by exploiting legacy vulnerabilities or misconfigurations in Active Directory and cloud environments. LAPSUS$ often sought out administrator control in cloud environments to establish attack infrastructure, exfiltrate sensitive data and destroy cloud resources.
How can orgs defend themselves against threats like LAPSUS$?
As with many threat actors, social engineering remains a reliable tactic for extortion groups. The first step many organizations will need to take is assuming they could be a target. After that, robust practices like multifactor and passwordless authentication are critical. Organizations must also continuously assess for and remediate known-exploited vulnerabilities, particularly on virtual private network products, remote desktop protocol and Active Directory.