This report is the first in a series of blogs that will delve into the deep research the SpiderLabs Threat Intelligence team conducts daily on the major threat actor groups currently operating globally. The information gathered is part of a data repository to help SpiderLabs identify possible intrusions as it conducts threat hunts, vulnerability scans, and other offensive security tasks.
Lapsus$ has been very quiet for the last two years and it is widely believed to have disbanded with its members either starting new, moving on to other threat groups, or in prison. Because adversaries tend to be repetitive and use tactics, techniques and procedures (TTPs) that have previously worked, it’s helpful to look back on how Lapsus$ operated when it was fully up and running.
Lapsus$ was a loosely organized international hacking group whose members appeared to have been located in the United Kingdom and Brazil. Lapsus$ was primarily financially motivated, which led it to target large enterprises by stealing their data to sell or use to extort money from its victims. Its list of targets included Microsoft, NVIDIA, Samsung, Vodafone, Okta, Ubisoft, and T-Mobile.
Microsoft also labeled the group Strawberry Tempest and Dev-0537. It primarily targeted organizations in Latin America, Europe, and North America.
Despite being mainly financially driven, Lapsus$ may sometimes had an ideological bent when choosing a target, most notably the Brazilian Ministry of Health. The group had previously expressed its anger at this agency's COVID-19 policies.
Lapsus$ generally operated on its own, but it had several known associated groups:
The first known victim of the Lapsus$ group was the Brazilian Health Ministry which was attacked in December 2021. This action took down multiple systems forcing the Brazilian government to implement new health requirements for travelers. The group posted a message on its website stating it had stolen internal data and for the ministry to contact them to have the data returned.
A few days later, the group removed the message. Aside from the health ministry, the group also attacked Brazil's postal service and Localiza Rent a Car. In October 2022, Brazil Authorities made a key arrest on a person accused of being a member of the Lapsus$ group.
At the start of 2022, Lapsus$ pivoted to targeting high-profile companies, starting with Okta. The group first went after Sitel, an Okta customer to gain access to Okta. The group accessed a Sitel employee's laptop and gave access to 366 Okta customers. The compromise began on January 16, and the group evaded detections and created a malicious email transport rule to forward all mail within Sitel's environment to their accounts.
In February 2022, the group breached NVIDIA and stole 250GB of data containing information on recent GPUs. The group threatened to leak the data if the company refused to remove the limitations on its recent graphic cards.
In March 2022, Lapsus$ began targeting and stealing source code such as the Samsung Galaxy source code and Microsoft's Bing and Cortana. The group mentioned taking 200GB of stolen data from Samsung. Samsung reported that the breach included no personal information of customers and employees. Lapsus$ alleges it stole 37GB of data from Microsoft after accessing a single account.
In March 2022, Ubisoft was allegedly breached by the gang, causing temporary disruption to its services, games, and systems. The Lapsus$ group admitted that it was not targeting Ubisoft customer data. As a precaution, Ubisoft initiated a company-wide password reset.
In the same vein as most threat groups, Lapsus$ used various tried and true techniques to gain access to its targets. As noted earlier, it’s important to remain on guard against these methodologies even if Lapsus$ itself is no longer operating.
As a group with advanced social engineering skills, it often relies on phishing and spearphishing attacks and employs SIM card swapping as part of its initial access skillset. Lapsus$ will target employees' mobile phones, especially those with installed authentication apps and SMS phishing. The group is equipped to craft phishing emails to target specific organizations. In its attacks, the group often aims to compromise employees' credentials, which can provide access to critical systems and data.
Additional tactics include:
These tactics and tools are important for organizations to know and understand as they are a roadmap for how attackers can sneak into their systems. However, foreknowledge of these methods can help companies set up stronger defenses, like using extra security measures for logins, training employees to spot frauds, checking for vulnerabilities often, and keeping an eye out for anything strange happening on their networks to stop attacks before they cause harm.
Understanding how Lapsus$ functions can also lead an organization to the conclusion that it cannot properly secure itself from these types of attacks and offer some direction on where to go for outside assistance.
Once inside their target, Lapsus$ had a well-stocked arsenal for privilege escalation, lateral movement, and maintaining persistence.
Lapsus$ gains privilege escalation through improperly stored passwords and keys it finds once inside a system. Unfortunately, employees often store their credentials in plaintext without the use of a password manager. Threat actors take advantage of this error and, by using legitimate accounts and credentials, their activities will appear as legitimate user behavior in the forensic record.
Another method of privilege escalation and lateral movement is using common tools. Tools used for credential dumping can obtain higher privileges and leverage internal communication channels to impersonate employees and conduct internal social engineering attacks. Lastly, threat actors also use compromised AWS tokens.
Lapsus$ was also known to exploit vulnerabilities for privilege escalation. Threat actors can leverage well-known vulnerabilities to elevate privileges, such as those in Microsoft's Active Directory, Microsoft Exchange Servers, Confluence, Jira, and GitLab.
Lapsus$ often gained persistence by creating accounts within the victim's organization to stay inside the network. Additionally, it can obtain persistence through legitimate and malicious remote access tools, such as reverse SSH (Secure Shell), reverse proxy, ngrok, and rsocx to maintain communications. It also employs legitimate tools such as AnyDesk, LogMeIn, TeamViewer, and ThinScale. Lastly, they can install malware such as Remote Access Trojans.
Finally, Lapsus$ was adept at disabling security monitoring tools. The group has employed attacks to bypass security detection and disable security mechanisms, and by modifying the firewall to allow remote connections.
As previously stated, Lapsus$ primarily attacks for financial gain. To accomplish this goal, it uses various methods, including almost all the well-known threat group schemes.
The first is the theft and compromise of data. In many instances, the group has stolen crucial data from its victims. This has multiple uses, including for extortion, ransom, and harassment purposes. For example, if the victim does not comply with a ransom demand, the group can either directly sell the stolen information in underground forums, or it can threaten to release the data publicly to place additional pressure on the victim to comply. This tactic is called the double-extortion method.
Illegal access can cause network service disruptions, such as website defacement, destruction of cloud environments, disruption of services, and disabling of internal systems.
The group can also use the information gained during lateral movement and privilege escalation for harassment. Organizations responding to these incidents experience harassment to retaliate, stop investigations, and silence researchers. They do this by publishing researchers' personal information and conducting swatting attacks toward them and their families.
By understanding Lapsus$'s methods, organizations can take proactive steps to mitigate the risk of being targeted.
In future installments of this series, SpiderLabs Threat Intelligence will delve deeper into other prominent threat actor groups, providing even more insights to help organizations fortify their cybersecurity posture.