Who is Lapsus$?
After claiming responsibility for high-profile attacks on major corporations like Microsoft, Okta, Samsung, Ubisoft, and NVIDIA at the beginning of 2022, the LAPSUS$ group made a significant splash on the cyber threat landscape.
2022 onwards, Lapsus$ have become notorious for their cyber breaches. They have breached a number of companies in the telecom and technology sectors in a relentless series of attacks. They do not seem to care as much about double extortion tactics I.e., when encrypted data for ransom is supplemented with exfiltration of data and TOR leak sites. Instead, Lapsus$ uses exfiltrated sensitive data to use as extortion through the platform Telegram.
Lapsus$ states that their end goals are entirely financial, and have given zero-indication of a political backing or agenda. The goal of this blog is to share information on Lapsus$ and their cyber breaches, we also want to provide direction and guidance on how organizations can recognize and potentially mitigate cyber threats before they get targeted.
What are TTPs?
Before we get in to Lapsus$’s TTPs, it is important to understand what TTPs are. Tactics, Techniques, and Procedures (TTP) is the method used by IT and military professionals to determine the behavior of a threat actor (hacker).
The LAPSUS$ organization utilizes easy-to-use but highly successful social-engineering approaches to enter environments and steal sensitive data, unlike other ransomware groups that use malicious payloads to mass encrypt and exfiltrate data. Lapsus$ typically hired insiders (workers and contractors) to install AnyDesk or other remote management tools, provide them credentials and MFA codes, or offer inside access to the company network. By stating that it “discovered instances where the group successfully got access to target firms through recruited personnel,” Microsoft has acknowledged that the group was effective in using this approach.
To reiterate, Lapsus$ use a variety of methods that are typically focused on compromising user identities to gain initial access to an organization including:
- Deploying the malicious Redline password stealer to obtain passwords and session tokens
- Purchasing credentials and session tokens from criminal underground forums
- Paying employees at targeted organizations (or suppliers/business partners) for access to credentials and MFA approval
- Searching public code repositories for exposed credentials
- Regularly perform threat hunting around remote access tools and logs to discover anomalies and attempted, or successful, unauthorized access.
- Review cloud environments such as AWS, Azure, and M365 for anomalous activity and resource creation and/or deletion.
- Specifically, for risk mitigation due to Lapsus$ activity around Okta, GRIT recommends the following:
- Rotate Okta privileged passwords.
- Rotate SP keys (App connections have keys on both sides).
- Review Okta logs for suspicious or unauthorized activity related to elevated privilege accounts.
- Review log settings for Okta activity and ensure that sufficient logging durations are enabled and stored in a log aggregation tool, if possible.
- Perform a comprehensive Threat Discovery including all SaaS applications connected to Okta, specifically focusing on anomalous logins and behaviors.
- Review multi-factor authentication (MFA) implementations for organizations and ensure that critical remote access and systems with sensitive data are protected.
- Ensure adequate coverage by security tools including EDR, network monitoring, and cloud-focused toolsets.
- Implement an incident response plan and regularly practice executing the plan via tabletop exercises.
How to protect?
- Raise IT help desk and staff knowledge of social engineering assaults.
- To avoid data theft, use dependable, compliant, and healthy devices to access resources.
- Find and fix known vulnerabilities that might be used by attackers to migrate across computers, gain administrative access, and exfiltrate sensitive data.
- Strengthen MFA implementation – Microsoft advises against using SMS messages as a weak MFA element since they can be SIM-swapped. Additionally, it has advised against using MFA techniques relying on “secondary email,” push alerts, or even straightforward voice approvals.
- Use weak MFA factors such as text messages (susceptible to SIM swapping), simple voice approvals, simple push (instead, use number matching), or secondary email addresses.
- Include location-based exclusions. MFA exclusions allow an actor with only one factor for a set of identities to bypass the MFA requirements if they can fully compromise a single identity.
- Allow credential or MFA factor sharing between users.