Threat Brief: Lapsus$

Published 3/30/22, 9:00am

Between March 20, 2022, and March 21, 2022, the eCrime group known as LAPSUS$ released several screenshots via Telegram indicating that they had successfully breached Okta and Microsoft as part of two separate breach scenarios.

This isn’t the first time the upstart hacking group has made headlines–Lapsus$ has breached multiple noteworthy victims across the technology and telecom sectors in a whirlwind, five-month sprint–but it may be the flashiest. Interestingly, the group doesn’t follow the popular path of double extortion where encrypting data for ransom is supplemented with data exfiltration and TOR leak sites, instead opting to exfiltrate sensitive data to use as extortion via the chat and messaging platform Telegram for financial and non-financial demands. The group is also very vocal and makes a habit of boasting about their success to a community of followers in their public Telegram channel, where they go as far as polling their fans to decide which data to leak to next.

The group has claimed publicly that their end goals are purely financial, emphasizing that they are not politically motivated. But when you combine the odd nature of some of their demands with the group’s braggadocious tone, it can be hard to tell if the individuals within LAPSUS$ are more interested in street cred or financial gain. However, it’s clear that they must be making some serious cash because they have also offered significant bounties for insider access to their targets.

So what brought Lapsus$ to this point, where do things currently stand, how do they operate, and how can you detect activity potentially related to their past successes? First, we’ll take a look at their history of activity starting with their first claimed breach in December 2021, then we’ll see where the group is now and review their known tactics, and finally, we’ll look at a few resources for detection and recommendations for proactive defense.

Timeline of publicly known and large-scale breaches by Lapsus$

December 9, 2021 – Brazilian Ministry of Health

• On December 9, Lapsus$ launched their now-famous Telegram channel and claimed responsibility for stealing over 50 terabytes of data from the Brazilian Ministry of Health

December 23, 2021 – Correios 

• In the early morning hours of December 23, Lapsus@ announced they had breached the Brazilian postal service, Correios. The response on telegram was mixed, with many expressing anger due to the public necessity of the postal service and the impact the breach could have on Christmas package deliveries.

December 30, 2021 – New year’s blitz

• Over the weekend of New Year 2022, Lapsus$ attacked multiple targets including a Latin American telecom company, Claro, and a Portugese media conglomerate, Impresa. In their messages announcing the breaches on their Telegram channel, they asked for an undisclosed amount of money. They also claimed credit for several smaller incidents, including denial-of-service attacks against other targets like car rental company Localiza.

February 8, 2022 – Vodafone

• In early February, Lapsus$ hinted that they had breached Vodafone and created a poll asking their community what data they should leak first. Later, in March, they specified that they had about 200 gigabytes of Vodaphone data and access to 5000 related GitHub repositories.

February 23, 2022 – Nvidia

• When the story broke that Nvidia had been breached, Lapsus$ stepped in to claim credit for the attack. The group allegedly lifted almost a terabyte of data, including schematics, firmware, and much more. Instead of demanding direct financial payment in exchange, the group demanded Nvidia remove drivers that limited cryptocurrency mining from their graphics cards. They expanded their demands a week later on March first, asking Nvidia to open-source all their GPU drivers for all platforms.

March 4, 2022 – Samsung Mobile

• Bypassing the pattern of extortion they had established, on March 4 Lapsus$ posted a torrent file containing source code for Samsung Mobile devices and software. The leaked data included biometric authentication and security source code for the manufacturer’s devices, as well as proprietary information related to chipmaker Qualcomm.

March 11, 2022 – Ubisoft

• On March 11, Ubisoft announced they had been the victims of a cyberattack. In the Lapsus$ Telegram channel, a link to the breaking story on The Verge was sent out with a smirking emoji. There has been little other news or developments to the story, and it remains unclear what motivations Lapsus$ had for the attack or if they made any demands outside their channel.

March 19, 2022 – Microsoft

• On March 19, Lapsus$ posted screenshots in their Telegram channel that indicated they had breached Microsoft and compromised Bing, Cortana, and other services and projects. Later, on March 21, they posted partial source code for Bing, Bing Maps, and Cortana. 

March 22, 2022 – Okta

• Continuing their rapid-fire streak of high-profile breaches, on March 22 Lapsus$ claimed they had remote access to multiple Okta systems with superuser and admin privileges. They claimed they did not access or steal any Okta databases, and only focused on Okta customers.

Lapsus$ Tactics, Techniques, and Procedures (TTPs):

Initial Intrusion Vectors

Lapsus$ is known to use a variety of methods for initial access with a focus on social engineering and exploitation of insecure remote access tools including:

• Targeting and attempting to recruit insiders from targeted organizations to provide access to environments through financial bribes.
• Crawling and searching for publicly exposed credentials on forums and other public repositories.
• Purchasing compromised credentials and session tokens from dark web forums and marketplaces.
  

Additionally, Lapsus$ is also known to use information-stealing malware such as RedLine to obtain credentials and access to victim organizations.

Post-Exploitation Operations

Although Lapsus$ is most well known for not using malware during their operations, the group does leverage common post-exploitation, reconnaissance, and credential harvesting utilities including AD Explorer, Mimikatz, and built-in Windows utilities. The group also gravitates towards leverading vulnerabilities in platforms such as Jira, Gitlab, and Confluence for further movement into the victim network. To find sensitive data on networks, Lapsus$ focuses on finding collaboration platforms such as SharePoint, Confluence, or Jira, and code repositories such as GitHub and GitLab. 

Lapsus$ is especially well adept at infiltrating cloud environments and conducting operations without being discovered. In many cases, if they are able to obtain administrator credentials for the cloud environment, they focus on removing all other admin accounts from the environment to prevent IT administrators, from eradicating them from the environment. The group also leverages administrative privileges to create additional virtual servers and infrastructure to leverage during subsequent phases of their attack.

Data Exfiltration

Lapsus$ utilizes a variety of VPN services and dedicated infrastructure to mask their true location while performing data exfiltration. Additionally, in the case of compromised M365 environments, they have been known to tamper with inbox rules to exfiltrate email.

Detection Resources: 

The following resources are useful for proactively implementing detections in your environment focused on Lapsus$ tactics, techniques, and procedures:

• https://github.com/elastic/detection-rules/tree/main/rules/integrations/okta
• https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta
  

Recommendations:

GRIT recommends taking the following actions to reduce risk and investigate for potential unauthorized activity related to LAPSUS$’s threat profile and recent activities:

• Regularly perform threat hunting around remote access tools and logs to discover anomalies and attempted, or successful, unauthorized access.
• Review cloud environments such as AWS, Azure, and M365 for anomalous activity and resource creation and/or deletion.
• Review multi-factor authentication (MFA) implementations for organizations and ensure that critical remote access and systems with sensitive data are protected. 
• Ensure adequate coverage by security tools including EDR, network monitoring, and cloud-focused toolsets.
• Implement an incident response plan and regularly practice executing the plan via tabletop exercises.

Specifically, for risk mitigation due to Lapsus$ activity around Okta, GRIT recommends the following:

• Rotate Okta privileged passwords.
• Rotate SP keys (App connections have keys on both sides).
• Review Okta logs for suspicious or unauthorized activity related to elevated privilege accounts.
• Review log settings for Okta activity and ensure that sufficient logging durations are enabled and stored in a log aggregation tool, if possible.
• Perform a comprehensive Threat Discovery including all SaaS applications connected to Okta, specifically focusing on anomalous logins and behaviors.