A Closer Look at the Hacking Techniques Used by the Lapsus$ Data Extortion Group

Lapsus$ Overview   

Lapsus$ (DEV-0357 by Microsoft) is a data extortion group that has been active since mid-2021 and focuses on destructive attacks. The main targets of this group are government manufacturing, higher education, energy, and more. The group is associated with a series of attacks against large tech companies, including Microsoft, Nvidia, Samsung, and others. The group used Telegram as a platform for publishing their targets and successful attack results.

‍

Recent Cyber Attacks 

Lapsus$ has gained notoriety for a series of cyberattacks against large tech companies. 

• On 21 January 2022, Lapsus$ gained access to the servers of Okta through the compromised account of a third-party customer support engineer. Okta confirmed the breach based on the final forensic report.
• On 15 September 2022, Uber announced that it had been breached. The company shared that the attacker used the stolen credentials of an Uber EXT contractor in an MFA fatigue attack where the contractor was flooded with two-factor authentication (2FA) login requests until one of them was accepted.
• On 20 March 2022, Lapsus$ posted a screenshot of Microsoft Azure DevOps server to their Telegram channel. The following day, the group released a 37 GB zip file containing, among other things, "90% of the source code for the Bing search engine." Microsoft revealed that a single employee’s account was compromised by the hacking group, granting the attackers “limited access” to Microsoft’s systems and allowing the theft of the company’s source code.

‍

Techniques Used by Lapsus$  

Lapsus$ used several notable techniques to gain access to a system, elevate privileges and establish long-term access.  

• Exploitation for Privilege Escalation - To facilitate privileged access, the attackers exploited the tendency for employees to document internal procedures, share information on collaboration platforms, and use ticketing systems. In some cases, they impersonated employees, including the help desk, and conducted social engineering attacks. They scanned systems, searched information repositories, and exploited vulnerabilities to raise privileges.
• Data from Information Repositories - Lapsus$ leveraged information repositories to mine valuable information that aided the group in direct access to the target information. When using this technique, adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization, such as policies, system architecture diagrams, and source code snippets. 
• Trusted Relationship - Organizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. The third-party provider's access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. In the Lapsus$ attack, an account used by the other party was compromised and used. 
• Unsecured Credentials - Adversaries may directly collect unsecured credentials stored or passed through user applications such as email, Slack or Teams, Jira or Trello. Users may share credentials, API keys, or authentication tokens on private or public corporate internal communications channels. Rather than accessing the stored chat logs, adversaries can directly access credentials within these services on the user endpoint, through servers hosting the services, or through administrator portals for cloud hosted services.
• User Execution - An attacker sometimes chooses to rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of phishing.

‍

How to Secure Your SaaS

Reco detects diverse security risks that mirror the tactics of groups like Lapsus. By combining contextual analysis & user behavior analytics, posture management, and detection and response, organizations can prevent attacks such as Lapsus$ from being carried out.

‍

Application Configuration: Reco's continuous monitoring of application settings and configurations guard against misconfigurations that could lead to lateral movement of malicious actors. It issues alerts when configurations stray from recommended security standards, effectively shielding against Lapsus-like vulnerabilities.

• Lapsus$ Technique Prevented - Exploitation for Privilege Escalation

Access Control: Reco ensures stringent control over file sharing and permission settings. It prevents the excessive sharing of data and enforces the principle of least privilege, minimizing the risk of data exposure due to misconfigured permissions.

• Lapsus$ Technique Prevented - Data from Information Repositories 

Inactive Accounts: Reco empowers organizations to manage third-party applications and vendor access prudently. Dormant or inactive accounts that could potentially provide a gateway for unauthorized access are systematically tracked and controlled.

• Lapsus$ Technique Prevented - Trusted Relationship

Unauthorized Access: Reco identifies unauthorized access from external users, flagging suspicious activity even when naming conventions are not adhered to. This capability helps in recognizing and neutralizing Lapsus-style unauthorized access attempts.

• Lapsus$ Technique Prevented - Trusted Relationship

Detection & Response: Reco detects secrets and private keys in public slack channels and SaaS file sharing solutions. By providing visibility and remediation organization can clean the main file storing in the SaaS to make sure a compromised account won’t gain access to more systems of the org.

• Lapsus$ Technique Prevented - Unsecured Credentials

Anomaly Detection: Reco excels in detecting patterns of behavior that deviate from the norm, including unusual login activities or risky data access. By flagging such deviations, it empowers your security team to act promptly, thwarting potential insider threats. Reco detects anomalous behavior in the user, such as mass activities on data across all SaaS tools, thus preventing data breaches reminiscent of Lapsus' unauthorized access.

• Lapsus$ Technique Prevented - User Execution

‍

Resources

• https://attack.mitre.org/groups/G1004/ 
• https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/