Analyst Message #06: Racoon Stealer Development Pause, Updates on LAPSUS$ and North Korea State-Backed Operations

Analyst Message #06: Racoon Stealer Development Pause, Updates on LAPSUS$ and North Korea State-Backed Operations

Threat Actor Update: LAPSUS$ Commitments Highlight Effectiveness of Insider Threats

The extortion group LAPSUS$ announced in March that it had compromised Okta (1), a widely used identity and access management provider, and Microsoft (4). LAPSUS$ claimed to have “superuser/administrator” access to Okta and had access to customer data (two). Okta suspects that LAPSUS$ gained access to a support engineer’s laptop between January 16 and 21, 2022 (1). About 2.5% of Okta customers’ data has potentially been viewed or acted on (1). In another incident, LAPSUS$ claimed to have leaked 37 GB of source code belonging to Microsoft (3). Microsoft confirms that a single account was compromised and parts of the source code were exfiltrated (4).

LAPSUS$, tracked as DEV-0537 by Microsoft, uses a ransomware-free extortion and destruction model (4). According to Microsoft, LAPSUS$ is generally focused on compromising the identities of users in the target organization for initial access. LAPSUS$ leverages multiple TTPs, such as paying for credentials and approving multi-factor authentication (MFA) to employees of specific organizations, purchasing credentials and session tokens from criminal forums, and searching for credentials in public code repositories. After gaining initial access, LAPSUS$ focuses on expanding its access within the network by enumerating the credentials of the most privileged users and exploiting unpatched vulnerabilities in internally accessible servers. LAPSUS$ uses well-known virtual private server (VPS) providers and geographically aligned NordVPN exit points to exfiltrate victim data. After exfiltration, LAPSUS$ has been observed to wipe out the target’s systems and resources (4).

In late March, City of London Police arrested seven teenagers linked to the LAPSUS$ group, including a 16-year-old from Oxford, accused of being one of the leaders of LAPSUS$ (5). The accused leader uses the online aliases “White” or “Beachbase” and was duped online, revealing his name, address and social media images (5). Security researchers have been monitoring “White” since mid-2021 and have been notifying law enforcement of the most recent activity (5). LAPSUS$ activity continued even despite the arrests; claimed to have leaked client source code from Globant, a software services company according to a March 30 report (12).

LAPSUS$, while not the first group to take advantage of insider threats, has shown how vulnerable even large, well-resourced organizations are to this TTP. Many organizations have legitimately focused on the threat posed to them by traditional ransomware groups and their affiliates; however, the recent success of LAPSUS$ should prompt organizations to assess their current insider threat program to see if it is effective in today’s threat landscape.

Malware: the war in Ukraine continues to affect the cybercriminal ecosystem

The developers of the commodity information stealer Racoon Stealer temporarily closed all sales due to the loss of personnel in the war between Russia and Ukraine (6). According to a tweet from the group on March 25, a critical member of the team was killed “due to the ‘special operation,'” a likely reference to the Russian invasion of Ukraine. The loss prevents the group from providing stable operation to the malware’s clients (6). The group states that this is not a permanent hiatus and that they will return with a second version in a few months (6). The temporary shutdown of Racoon Stealer is causing customers to turn to Mars Stealer, causing its operators to be overwhelmed with messages (7).

The war in Ukraine continues to impact the cybercriminal ecosystem in a number of ways, including making financially motivated groups more politically oriented. Raidforums, an illicit forum, posted a notice banning any user from connecting from Russia (7) to show his position on the Russia-Ukraine war. The Conti ransomware group, after openly backing the Russian state, was the subject of a massive leak by a Ukrainian security researcher (13).

Exploitation Tools and Targets: North Korean State-Backed Groups Take Advantage of Chrome Vulnerability

Two North Korean state-backed groups (8) exploited CVE-2022-0609, a remote code execution (RCE) vulnerability in Chrome (9). The campaign targeted media and IT organizations by sending emails claiming to be Disney, Google or Oracle recruiters that contained links spoofing job search websites. Clicking on the link would bring up a hidden iframe that would trigger the exploit kit. The campaign targeting the cryptocurrency and fintech industries created fake websites and compromised at least two legitimate fintech company websites to deliver the exploit kit to targets. The exploit kit took the fingerprints of the target system and then requested the next stage if the conditions were met.

The number of exploited Chrome vulnerabilities has grown steadily in recent years. The number of Chrome vulnerabilities exploited in the wild increased from 8 in 2020 to 14 in 2021 (10). Google has already announced two zero days this year, CVE-2022-0609 (9) and CVE-2022-1096 (eleven). Google attributes the rise in Chrome vulnerabilities to the deprecation of Flash, the use of Chromium in multiple browsers, the need to chain multiple bugs together for a single exploit, and increasing browser complexity (10). Google has released security fixes for CVE-2022-0609 (9) and CVE-2022-1096 (eleven).

References

  1. https://www.okta.com/blog/2022/03/updated-okta-statement-on-lapsus/?_ga=2.214425943.1726951151.1648229830-648809539.1647946402&_gac=1.28299342.1647946516.Cj0KCQjw5-WRBhCKARIsAAId9FkQ6XWMN9wz_LwdoVrwY2xteKcAJSa0IBRX9n2Is8KPt58_142rw64aAqerEALw_wcB
  2. https://www.bleepingcomputer.com/news/security/okta-investigating-claims-of-customer-data-breach-from-lapsus-group/
  3. https://www.bleepingcomputer.com/news/microsoft/lapsus-hackers-leak-37gb-of-microsofts-alleged-source-code/
  4. https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
  5. https://www.bbc.com/news/technology-60864283
  6. https://twitter.com/3xp0rtblog/status/1507312171914461188
  7. https://www.bleepingcomputer.com/news/security/racoon-stealer-malware-suspends-operations-due-to-war-in-ukraine/
  8. https://blog.google/threat-analysis-group/countering-threats-north-korea/
  9. https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html
  10. https://www.securityweek.com/google-attempts-explain-surge-chrome-zero-day-exploitation
  11. https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html?m=1
  12. https://thehackernews.com/2022/03/lapse-claims-to-have-breached-it-firm.html
  13. https://edition.cnn.com/2022/03/30/politics/ukraine-hack-russian-ransomware-gang/index.html

structured data

Find Analyst Prompt and previous editions in our TAXII public collection for easy use in your security stack.

TAXII v1 discovery services: https://cti.eclecticiq.com/taxii/discovery

You can also download the content as eiq_json, stix1_2, stix2_1.

Check out our Support page for guidance on accessing feeds.

About EclecticIQ Threat Research

EclecticIQ is a global provider of threat intelligence, search and response technology and services. Headquartered in Amsterdam, EclecticIQ’s threat research team is made up of experts from Europe and the US with decades of cybersecurity and intelligence experience in industry and government.

We would love to hear from you. Send us your feedback by sending us an email at [email protected].

*** This is a syndicated Security Bloggers Network blog from EclecticIQ Blog written by the EclecticIQ threat research team. Read the original post at: https://blog.eclecticiq.com/racoon-stealer-development-hiatus-and-updates-on-lapse-and-north-korean-state-backed-operations

Leave a Comment