The compromises of Okta and Microsoft that were confirmed this week are only the latest in a string of attacks by the Lapsus$ group, which has also previously hit high-profile victims like Nvidia, Samsung and Ubisoft. Researchers with Microsoft and Mandiant that have picked apart the attackers behind these hacks point to an "unorthodox" group that “doesn’t seem to cover its tracks” and that uses a unique blend of tactics to compromise user identities and accounts.
The group over the past few weeks has launched several social engineering and extortion campaigns against multiple organizations, with some hacks having “destructive elements,” according to Microsoft. The technology company, which was a recent victim of Lapsus$ itself after an account compromise gave the threat actor “limited access,” said that it relies on several tactics used less frequently by other threat groups.
“Their tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets,” according to Microsoft in a Tuesday analysis.
The group is unique in that it doesn’t seem to cover its tracks, typically announcing attacks on social media, advertising its intent to buy credentials for targeted organizations and leveraging tactics that can draw attention to its malicious activity. For instance, rather than the group introducing the tools it needs for the various stages of the operation via a backdoor or as a single archive, Mandiant researchers observed Lapsus$ using browsers to search for and then download tools needed, according to Joshua Shilko, senior principal analyst at Mandiant.
“This isn’t interesting so much as far as impact on the organization, but rather it’s something that actors often avoid since searching for and visiting sites that make these tools available can tip off defenders,” said Shilko.
The Rise and Evolution of Lapsus$
Mandiant researchers first noticed activity associated with the group’s name on underground forums in July 2021, talking about a video game company that the attackers claimed to have breached. Early attacks targeted cryptocurrency accounts to steal wallets and funds, however, the group quickly widened its targeting to include organizations in South America, including the compromises of the Brazilian Ministry of Health and South American telecommunications organizations.
“Things have accelerated since then,” said Shilko. “In a timeframe of a few short months we saw all the group’s malicious activity, including the Okta activity in January. Maybe they were already working on some of this stuff for a time.”
The group now targets organizations globally, including companies in the telecommunications, technology, IT services and support sectors where it can double down on damage by leveraging the access to further compromise partner or supplier organizations.
In several incidents the group has extorted its victims by threatening to leak their sensitive data unless they pay, or it has targeted individual user accounts at cryptocurrency exchanges to drain cryptocurrency holdings. However, in other cases researchers point out that money doesn’t appear to be the primary goal. In some intrusions, for instance, the group has merely leaked the data stolen from the victims without making an extortion attempt. And after targeting Nvidia, Lapsus$ asked the company to remove its lite hash rate (LHR) feature, reportedly meant to limit Ethereum mining capabilities in certain products; and also asked Nvidia to open-source its GPU drivers for macOS, Windows and Linux devices.
The threat actor follows its victims closely both before and after its compromises. In order to better understand a targeted company's employees, team structures, help desks, crisis response workflows and supply chain relationships before launching an attack, the group will call organization help desks to trick them into resetting the target’s credentials, with the ability to answer common recovery prompts such as the “first street you lived on” or “mother’s maiden name.”
“The group used the previously gathered information (for example, profile pictures) and had a native-English-sounding caller speak with the help desk personnel to enhance their social engineering lure,” according to Microsoft researchers. “Since many organizations outsource their help desk support, this tactic attempts to exploit those supply chain relationships, especially where organizations give their help desk personnel the ability to elevate privileges.”
After an intrusion, the group has also been observed joining the victim’s crisis communication calls and Slack or Teams internal discussion boards to understand how incident response is being carried out, helping the group better understand the victim’s state of mind or their knowledge of the extent of the intrusion.
Initial Access and Post-Intrusion Activities
Initial access avenues vary for the group, but are typically focused on compromising user identities. The group has been observed deploying the Redline password stealer to exfiltrate passwords and session tokens, purchasing credentials on underground forums, searching public code repositories for exposed credentials, and in certain instances paying employees at targeted organizations for access to credentials. It will also spam target users with multi-factor authentication (MFA) prompts.
The Lapsus$ group then uses these compromised credentials to access internet-facing systems and applications, including VPNs, virtual desktop infrastructure (VDI) or remote desktop protocol (RDP). The latter may have been used as part of a recent hack of Okta, for instance, where the access appears to have come via RDP to a machine that was authenticated to Okta’s network.
“In other observed activity… actors performed a SIM-swapping attack to access a user’s phone number before signing into the corporate network,” said Microsoft researchers. “This method allows the actors to handle phone-based authentication prompts they need to gain access to a target.”
Once the attackers compromised a victim, they extend their access through exploiting unpatched vulnerabilities on internally accessible JIRA, Gitlab or Confluence servers, or by searching code repositories and collaboration platforms like Slack or Teams for exposed credentials. The group has also used several publicly available tools as part of the attack chain, such as AD Explorer for enumerating users and groups in a victim network (to allow them to understand what accounts have higher privileges).
Lapsus$ has also been observed using privileged access to cloud tenets (like AWS or Azure) to create global admin accounts, before switching the mail transport rule to send all mail in and out of the organization to this account and deleting all other global admin accounts. This gives Lapsus$ actors sole control over cloud resources and locks the victim out of all access.
Microsoft said that enterprise organizations can strengthen their MFA implementation as “one of the primary lines of defense,” and help their employees learn how to better detect social engineering attacks. The company recommends requiring MFA for all users coming from all locations and all internet-facing infrastructure (even those coming from on-premises systems), for instance.
At the same time, the "unique blend of tradecraft" by the group that couples social engineering and identity-centric tactics requires "detection and response processes that are similar to insider risk programs–but also involve short response timeframes needed to deal with malicious external threats," said Microsoft researchers.