Information in this blog was provided by Trustwave SpiderLabs.
While Lapsus$ is reportedly loosely formed, the gang was able to effectively attack additional South American organizations before graduating to hacking telecom giant Vodafone, video game developer Ubisoft, tech icon Samsung, and chipmaker NVIDIA.
Lapsus$ most recently made headlines for allegedly exfiltrating source code data from LG Electronics and Microsoft – while most notably claiming to have had access to a ‘super user’ account of identity access management provider Okta.
Recent Breached Vendor Response
Arguably the Microsoft and Okta breaches have the most downstream impact to enterprise customers and end-users. Microsoft confirmed no customer code or data was involved in the observed activities of Lapsus$. Their investigation found a single account had been compromised, granting limited access.
Okta has stated the access Lapsus$ claimed was part of a January 2022 security incident that has since been resolved. The hacker group has responded – sharing how it believed the attack was a success and alleging Okta has downplayed the effectiveness of the breach.
How is Lapsus$ so Successful?
Per Microsoft, the threat actors gain initial access using the following methods:
Deploying the malicious Redline password stealer to obtain passwords and session tokens.
Purchasing credentials and session tokens on underground criminal forums.
Paying employees at targeted organizations (or suppliers/business partners) for access to credentials and MFA approval.
Searching public code repositories for exposed credentials.
From that foothold, the group expands its access via virtual private network (VPN), remote desktop protocol (RDP), Virtual Desktop Infrastructure (VDI) including Citrix, or Identity providers (including Azure Active Directory and Okta) and collect high-valued data to use for extortion.
Microsoft has observed instances where the group successfully gained access to organizations through recruited employees.
According to Microsoft, once Lapsus$ obtained access to the target network using the compromised account, it used multiple tactics to discover additional credentials or intrusion points to extend their access including:
Exploiting unpatched vulnerabilities on internally accessible servers including JIRA, Gitlab, and Confluence
Searching code repositories and collaboration platforms for exposed credentials and secrets.
Lapsus$ has also been reported to use social engineering techniques via phone – reaching out to support centers at organizations in an attempt to reset a privileged account’s login credentials. They’ve reportedly answered common recovery prompts such as “first street you lived on” or “mother’s maiden name” to convince helpdesk personnel of authenticity.
Because helpdesks are frequently outsourced, this can be a weak point in supply chain security.
Overall, Lapsus$ appears to be following a path that differs from conventional cyber gangs – opting for exfiltration, destruction and extortion techniques over ransomware.
Big Arrests in Record Time – But Too Soon to Call It A Win?
On March 24, the BBC reported that City of London Police arrested seven people between the ages of 16 and 21 in connection with an investigation into a hacking group. According to the BBC, the police did not name the group, but the news agency cited cybersecurity researchers and fellow hackers who say at least one of those arrested is associated with Lapsus$.
The latest news as of March 25 is – those arrested have been released.
Oh, and the BBC got a prank call for breaking news recent arrest article.
The question becomes – is the loosely affiliated architecture of Lapsus$ more difficult than law enforcement anticipated to pin down? Time will tell.
The Threat of Lapsus$ Still Remains
Karl Sigler, Senior Security Research Manager, Trustwave SpiderLabs, told us that – arrests or releases – this isn’t over yet.
“Threats like Lapsus$ won’t go away. There is a lot of money to be made and ‘hacker clout’ to be gained.
Organizations should not dismiss the threat of loosely affiliated hacking groups like Lapsus$. The unorthodox techniques Lapsus$ used to breach major organizations could be emulated by other threat actors. All cybercriminal groups have one thing in common – they are looking for vulnerable organizations and the path of least resistance to exploit. Ensuring your organization is practicing the cyber fundamentals should be a priority.
If anything, Lapsus$ brought insider threats back into the spotlight. Insider threats pose a real challenge to large organizations – especially as political tensions rise and nation-state threat actors look for more ways to conduct espionage, gain footholds for future attacks, and steal valuable IP in an effort to displace targeted countries.”
How Organizations Can Defend Against Threats Like Lapsus$
If you’re an organization that provides software that is used at scale by numerous other organizations, you are part of the digital supply chain. These types of organizations need to remain extra vigilant during this time. The cyber fundamentals are especially critical during this time of Lapsus$ and the threat of nation-state hackers.
Remember, threat actors – whether a hacker group or a nation-state affiliated – are always looking for the path of least resistance and companies that are susceptible to breach due to not executing the cyber basics.
Ensure your organization is executing these cyber fundamentals:
Operate under an assume-breach mindset.
Ensure that cybersecurity/IT personnel focus on identifying, detecting, assessing and responding to any unexpected or unusual network behavior.
Conduct proactive threat hunting to ensure unknown threats are not lurking within your environment.
Conduct an asset audit focusing on assets that have external access; eliminate stale accounts and check privileged access.
Conduct a third-party vendor / supply chain assessment. Focus on those places where third parties have access to your environment. Ensure no old entry points are left open.
Institute multi-factor authentication (MFA) for internal and external users. Check that passwords are strong.
Bring your workers to a higher state of alert, tell them to triple check links and attachments in emails before clicking to guard against phishing attacks.
Deploy an effective endpoint detection and response (EDR) solution.
Conduct crisis simulations to ensure all parts of your organization are prepared to respond to a major cyber event, not just IT staff.
Reward employees for reporting if a suspicious contact reaches out asking for access
Tips to harden your defenses against potential insider threats:
Institute strong authentication and passwords measures; practice least-privileged access.
Implement specific insider threat solutions: data loss prevention (DLP), user and entity behavior analysis (UEBA).
Limit employee access to the minimum necessary and routinely review this access and make updates as roles change or people leave the company.
Practice good encryption hygiene.
Don’t forget about physical security at the office (key cards, ID badges, unattended equipment, etc.).
Ensure you have strong data access, use, and exfiltration policies in place.
Routinely review software that is installed on employees' computers and look for unauthorized installations of software such as AnyDesk.
Utilize an IDS or IPS (intrusion detection system, or intrusion prevention system) with anomaly detection features to detect if your employee is connecting remotely (or behaving oddly).
Utilize database protection and monitoring tools to detect anomalies and flag suspicious activities or requests that violate policies.
Work closely with your HR department to ensure there are culture policies in place that employee satisfaction doesn’t deteriorate.