The Lapsus$ cybercriminal collective has been in the news in recent weeks. After several high-profile attacks, the security community is turning its sights on this new threat actor and his techniques.
The Okta incident also reveals some details of his techniques. Microsoft has now published a in depth blog post detailing the activities it has observed associated with DEV-0537, its reference name for Lapsus$. The cyber security blog Krebs on Security has a deeper dive in some of the group’s activities, confirming several of Microsoft’s findings.
high profile attack
Lapsus$ has been attributed or associated with a series of high-profile attacks since December 2021. This rapid rise to prominence is interesting because each of these attacks involved a specific extortion demand.
Ransomware gangs have a clear focus on profit. They breach your system, lock you out of your data, and demand payment to restore that access. Recently, we have seen ransomware gangs double their profits by also threatening to release sensitive data after organizations have paid the initial ransom.
Other cybercriminals seek to capture your resources to resell them underground. This can be very profitable as they are selling resources that you are paying for.
The motivation behind the Lapsus$ attacks is more murky. It seems to alternate between extortion and chaos. This makes it more difficult to predict and contain group efforts.
One thing that is clear is Lapsus$’s preferred access technique. It’s very good at exploiting the fact that your users need to work.
With some attacks, the group has targeted third-party support resources to attack their targets. Support outsourcing is common for technology companies. This relationship creates a vulnerability that this cybercriminal group is exploiting.
Using social engineering techniques, it has been able to reset user passwords and co-opt multi-factor authentication (MFA) tools to gain access to legitimate credentials on its victims’ systems.
When that fails, the group is not above bribing employees to gain that access. In fact, he is actively advertising this approach. The group knows that support employees, especially those from third parties, are vulnerable to bribery and the return on investment makes this approach worthwhile for Lapsus$.
In its post, Microsoft provides some details showing how the group also targets users’ personal devices for information about their work systems.
Personal devices are generally not monitored, which means there is a higher chance that an attacker could gain a foothold. To make matters worse, most people use their personal device for MFA. This provides an opportunity for the attacker, one that Lapsus$ seems to be taking advantage of.
The group is also deploying more “standard” techniques such as Redline Stealer Password Toolbuying credentials from other compromises and using Mimikatz to harvest passwords from networks it has access to.
Once the group has access to legitimate credentials, it gains access to an organization’s network and seeks to expand that foothold as quickly as possible.
Get cloud access
Microsoft has seen the group take advantage of cloud access in AWS and Azure. Unlike when the group exports user access, the cloud presents a new opportunity.
If it can gain access to an organization’s cloud accounts, it moves to create a global administrator and restrict all other access, effectively locking teams out of this cloud infrastructure.
What can we learn from Lapsus$?
Taking a step back, these avenues of attack share a common approach. They all try to take advantage of valid credentials and abuse whatever permissions have been granted to that identity.
The Okta breach screenshots show the typical working tools provided to support engineers. In the wrong hands, they could negatively affect your reputation or expose your customers… as we have seen.
These attacks are a stark reminder that authentication (who are you?) and authorization (what can you do?) are critical to your security posture.
For authentication, a strong passphrase strategy is one should. The latest NIST guidelines they are a great starting point. If you haven’t already applied them within your organization, that work should begin immediately.
Bottom line: long passphrases, rotate them when there’s a problem or once a year, use a password manager, and use MFA whenever possible.
When it comes to authorization, the principle of least privilege rules the day. Permit grants have a nasty habit of expanding over time. Permissions should be reviewed periodically and over-provisioned access removed.
Was that bad?
Despite your best efforts around authentication and authorization, a breach can still occur. There is too much money at stake for cybercriminals to stop trying.
This leads to the question, “How do you determine if the actions of an authorized entity are malicious?”
Let’s say a system in your cloud account typically accesses a database every minute. It’s a pretty consistent pattern that reflects the general usage of the system. The system is authorized to access that database, so there’s probably nothing to worry about.
But what if that access becomes more frequent? At what point does that change from typical behavior to abnormal behavior? That is difficult to answer.
While no system is perfect, anomaly detection-based security controls can help detect abnormal and potentially malicious behavior. These systems examine behaviors and build a baseline of “typical” behaviors for that context. Any activity outside that baseline is flagged. Then that event is enriched and a determination is made.
Going back to the system accessing the database, if that access becomes constant for a few minutes and then goes back to its normal “every minute” cadence, that could raise an abnormal behavior flag. Combined with other indicators, that could allow your security team to spot credential abuse that went unnoticed.
No security posture is perfect. The Lapsus$ collective targets the biggest pain point in most security postures: finding anomalous behavior by authorized entities.
This approach requires security teams to strengthen their authentication and authorization practices to prevent compromise of valid credentials. At the same time, teams must continually monitor their environment for unusual behavior.
But security is more than just technical controls. Teams should also review the processes and procedures used by their support teams (internal and third party). Recent attacks have reminded the security community of the importance of these procedures.