The LAPSUS$ threat actor group changes the way cybersecurity professional views the threat landscape. If you are working in Threat Intel area or tracking threat actor groups, it is quite technical with the construct of new methods to penetrate systems and exploit development. The tactics and techniques used by LAPSUS$ group is fairly straightforward and simple to manipulate human factor of the cybersecurity. This piece is to explore some of the techniques used by threat actor to exploit major IT companies.
LAPSUS$ Profile Summary
LAPSUS$ is first seen in underground at July 2021 and the use of telegram channel to name and shame victims and interaction with 3rd parties. The group targets to various vertical sectors across the globe, range from Microsoft to Electronic Arts Inc. The highlight of LAPSUS$ group is the compromise to Okta Inc. via unauthorized access of Okta employee credential to the company network.
Use of Stolen Credentials for Initial Access
The first victim of LAPSUS$ is Brazilian Ministry of Health and Claro, a Latin American telecommunications company from use of credential purchase from underground market. On Nvidia case, it seems to show the use of compromised accounts on cloud service providers to gain access.
It is fairly straightforward way to achieve it since the hard job is done by the credential seller which stolen from info stealer malware implant or from organization insider threats. Another way of the group access is from compromised credentials of employee personal account and deploy info-stealer to harvest work related credentials.
On March 10, 2022, the threat group announced that they are recruiting insiders working for international telecommunications and software companies, hosting providers and call centers. It gives a hint of past success access comes from insiders selling the legitimate credentials of VPN or other remote desktop accounts to the cyber-criminal for financial gain.
A Cocktail of Old School Social Engineering
Microsoft called LAPSUS$ as ‘DEV-0537’ reported on the group tactics of social engineering and extortion campaign as destructive elements as the following:
DEV-0537 is known for using a pure extortion and destruction model without deploying ransomware payloads….DEV-0537 doesn’t seem to cover its tracks. They go as far as announcing their attacks on social media or advertising their intent to buy credentials from employees of target organizations….Their tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multi-factor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets.
Among these tactics, I was a bit surprised to see SIM-swapping is still a working approach to get 2FA token and SMS messages.
Lesson Learnt for Enterprise Security
Microsoft report contains a great recommendation list to follow for remediation and mitigation. I’d like to highlight some important factors to prevent credential related attacks and social engineering.
- Make sure to have a through detection use cases to detect abuse of credentials and MFA.
- MFA authentication needs to implement properly and monitor for any changes.
- Invest on User behavior analytics (UBA) solution and monitor login attempts from unusual geolocation.
- Separate communication channel or out-of-band channel for incident response.
- Revise password rotation policy and account lockout policy for both privileged and non-privileged accounts.
- Encourage employee to report insider threats and awareness of the issue.
- Security awareness program for employees, especially on password security.
- If there is a capability, implement a program to monitor credential leak on darkweb and social media.