Lapsus$ Data Kidnappers Claim Snatches From Microsoft, Okta
March 22, 2022 – Published on threatpost
Both Microsoft and Okta are investigating claims by the new, precocious data extortion group Lapsus$ that the gang has breached their systems.
Lapsus$ claimed to have gotten itself “superuser/admin” access to internal systems at authentication firm Okta. It also posted 40GB worth of files to its Telegram channel, including screenshots and source code, of what the group said is Microsoft’s internal projects and systems.
Lapsus$ Is a ‘Wild Card’
Drew Schmitt, Lapsus$ ransomware expert and principal threat intelligence analyst at cybersecurity firm GuidePoint Security, has interacted directly with the group through his years of ransomware negotiations and threat intelligence work.
He told Threatpost on Tuesday that the group is a “wild card” in that “they do not perform encryption of files or data for extortion purposes, rather they target and exfiltrate sensitive data and use that for the primary extortion effort.”
That sets Lapsus$ from the traditional ransomware approach used by groups such as Conti, Lockbit and others he said. Another deviation from traditional ransomware groups is their use of Telegram for communication and extortion purposes versus the use of a leak site hosted using a TOR service, he noted. As well, their initial access to targeted organizations is unorthodox, he said, referring to the March 11 recruiting message for rogue insiders.
Lapsus$ apparently operates on its own, without ties to other cybercriminal/ransomware syndicates or nation-state sponsorship, Schmitt said. That could change, though, as analysis continues, he said: “As this group has gained a lot of notoriety in the past few weeks, it is possible that we will learn new intelligence that indicates connections to other known groups and syndicates.”
Schitt said that Lapsus$ is changing the ransomware game with its non-traditional approaches to initial access, its move away from file encryption, and its deviation from the traditional leak site infrastructure. These are changes that could be adopted by more traditional ransomware groups, he predicted.
Read More HERE.