LAPSUS$ – New extortion group involved in the breach against Nvidia, Microsoft, Okta and Samsung

For a detailed advisory, download the pdf file here

Lapsus$ (DEV-0537) is an extortion threat group that first appeared on December 10, 2021, and has since breached the Brazilian Ministry of Health, NVIDIA, Samsung, Vodafone, Ubisoft, Octa, and Microsoft. Unlike other extortionist groups, which utilize a combination of ransomware and data leaks to monetize their operations, LAPSUS$ is only focused on funding their operations through data leaks publicized on Telegram.

To gain initial access to an organization, Lapsus$ employs a range of tactics, the majority of which are centered on compromising user identities, such as using the malware Redline password stealer to gain access to credentials and session tokens or purchasing session tokens and credentials from criminal underground forums. The threat actor also contacts employees at targeted organizations (or suppliers/business partners) who are then compensated for accessing credentials and MFA clearance. To gain privileges on the target network, the threat actor tries to exploit unpatched vulnerabilities on internally accessible servers, including JIRA, Gitlab, and Confluence. After gaining privileged access to cloud instances of the organization, the threat actor creates a global admin account and sets an Office 365 tenant-level mail transport rule to send all mail in and out of the organization to the newly created account, and then removes all other global admin accounts, effectively locking the organization out of all cloud resources. Lapsus$ often deletes the target’s resources and systems after exfiltration.

Organizations can mitigate some of the risks by using the following recommendations: •A Multifactor Authenticator should be required for all users arriving from all places, including those that are believed to be trustworthy. To reduce the risks of SIM-jacking, avoid using telephony-based MFA approaches. •Improve and keep an eye on your cloud security posture. •Improve awareness of social engineering attacks. •

The MITRE TTPs commonly used by Lapsus$ are:

TA0001 – Initial Access       TA0003 – Persistence       TA0004 – Privilege Escalation       TA0005 – Defense Evasion       TA0006 – Credential Access      TA0007 – Discovery       TA0009 – Collection       TA0011 – Command and ControlTA0010 – ExfiltrationTA0034 – ImpactT1078 Valid AccountsT1133 External Remote ServicesT1190 Exploit Public-Facing ApplicationT1199 Trusted RelationshipT1547.006 Boot or Logon Autostart Execution: Kernel Modules and ExtensionsT1133 External Remote ServicesT1027.002 Obfuscated Files or Information: Software PackingT1056.004 Input Capture: Credential API HookingT1552 Unsecured CredentialsT1111 Two-Factor Authentication InterceptionT1497 Virtualization/Sandbox EvasionT1120 Peripheral Device DiscoveryT1082 System Information DiscoveryT1012 Query RegistryT1571 Non-Standard PortT1537 Transfer Data to Cloud AccountT1485 Data DestructionT1491 DefacementT1490 Inhibit System Recovery

Actor Details

Recent Breaches