Five security lessons from Lapsus$ attacks

Five security lessons from Lapsus$ attacks

With the Lapsus$ hacker group back in business following the arrest of key members by London police, organizations need to take a closer look at the tactics this group used to carry out a remarkable series of breaches in major organizations.

As this group has shown, even basic techniques can be extremely effective at penetrating large organizations by focusing on low-hanging fruit. Its proven effectiveness is likely to result in similar attacks by other criminal actors.

Lapsus$ does not appear to use custom malware or novel techniques. Instead, the group relies on basic social engineering tools and tactics, but uses them creatively. For example, the group has been very effective in targeting peripheral users to gain their initial foothold in a company’s network. They also use privilege escalation tactics quite effectively, going beyond email to exploit other communication channels, such as Slack, where it is easier to social engineer employees, find sensitive information, and escalate the attack.

Here are five Lapsus$ tactics businesses should prepare for.

1. Exploitation of trusted third parties

Supply chain attacks of all kinds are becoming more prevalent as attackers look for easier ways to circumvent strong corporate security posture. As companies reassess their trusted relationships with third parties, it is important not only to focus on systems and technologies, but also to look at the human risk factor.

The Lapsus$ group has specifically targeted lower-level employees within myriad business partners of large organizations. in particular, they they seem to be targeting customer support call centers and help desks as they prepare to launch social engineering attacks. These vendors may not rank at the top of a corporation’s security threat monitoring program, but they are clearly enough to establish a beachhead at the target company. This appears to be what happened in the Okta breach, as Lapsus$ used a compromised employee account at a customer service provider for infiltrate Okta’s systems.

A key mistake companies need to avoid is allowing lenient sharing permissions with their business partners.

Cyber ​​Security Live - Boston

2. Recruitment of experts

LAPSUS$ has been actively recruiting corporate insiders (both employees and contractors) to provide credentials and MFA codes, as well as install remote management tools such as AnyDesk. Microsoft has confirmed that the group’s recruitment efforts have been successful.

Insider recruitment is a growing threat to organizations and a number of Criminal groups are now actively using this tactic, including ransomware gangs like LockBit 2.0 and demonware. According to a recent study, a whopping 65% of organizations have had employees targeted for criminal recruitment.

Malicious insiders are a serious security challenge, but companies can reduce their risk by increasing access controls and employee monitoring. Businesses need to be able to detect unusual network activity, such as large file transfers or downloads, and monitor for any red flags in online communications⁠—not just email, but also social media and social networks. messaging apps.

3. Get access to messaging platforms

Credential theft has been a long-standing problem for businesses, but until now the risk has largely focused on email and sensitive access tools like Remote Desktop Protocol (RDP). However, groups like Lapsus$ have shown that attacks can take a more devious route by targeting peripheral accounts like personal email and messaging platforms and working inward from there.

By gaining access to a company’s Slack channel, a hacker is not only able to analyze old files and information shared on the platform, but is also in a perfect position to carry out social engineering attacks; in particular through conversation hijacking techniques. Slack and other messaging platforms also often lack the ability to scan potentially malicious attachments and links.

Leave a Comment