Lapsus$ – All you need to know!

Sivan Tehila, co-authored by Jacob Leichter

Last week, the cybersecurity industry was shaken when Microsoft and Okta were breached by the Lapsus$ group. The following article will explore not only the details of these incidents but also offer a primer on Lapsus$, their history as a cybercrime group, and their methods of operation. It concludes with some best practice recommendations to protect against what seems to be a new, unorthodox strain of cyberattack. 

What Happened?

On Monday, March 21, 2022, posts began appearing on the Telegram instant messaging app. They came from a relatively new cybercriminal syndicate known as Lapsus$. Despite their brief existence, Lapsus$ posted source code exfiltrated from Microsoft. The code belongs to three Microsoft properties: Bing, Bing Maps, and Microsoft’s virtual assistant, Cortana. Lapsus$ followed this bombshell haul with another post. In this message, the group revealed screenshots of one of their operatives controlling an administrative account on the network of identity security firm Okta. 

The exact scope of what Lapsus$ accessed is still being investigated. Microsoft has confirmed that, though the group stole 37 gigabytes of source code, customer data was not compromised by the hackers. This is good news for Microsoft, especially in the wake of August 2021’s Azure and Power Apps data breach incidents. However, things are looking more concerning for Okta, a major player in the identity and access management market. On Tuesday, March 22, Okta announced that 366 clients across their 15,000-client global base might have been affected by the breach, or 2.5%. The company also revealed that the screenshots shared by Lapsus$ were from a January 2022 incident that went undisclosed. This gross oversight, coupled with potential theft of customer data, has resulted in a stock market slide that put the company at one of its lowest valuations since April 2020, further confirming a loss of shareholder confidence in Okta. As the investigations into the breach are only just beginning, the full extent of the incident remains to be seen.   

As of the posting of the code and screenshots, several arrests have been made in connection to both the Lapsus$ group and the Microsoft/Okta breaches. On Wednesday, March 23, a teenager, who goes by the handle “WhiteDoxbin” online, near Oxford, England, was fingered as the mastermind behind the fledgling group. The following day, March 24, City of London police arrested and questioned seven teenagers and young adults, all between the ages of 16 and 21, as part of their inquiry into the Okta incident. No formal charges have been made against any individuals at this time, pending further investigation.

Who is Lapsus$?

The Lapsus$ group has not been on the scene for long. Palo Alto’s Unit 42 reports that their handle was first discovered in mid-2021. The syndicate did not stage their first attack, however, until later that year, in August, when they sent extortionary text messages to mobile phone users in the United Kingdom. Following this, Lapsus$ went dormant until December 2021, when the group struck Brazil’s Health Ministry with an exfiltration and deletion scheme that saw the compromise of 50 terabytes worth of COVID-19 and vaccination data. This initial foray across the Atlantic kicked off a series of cyberattacks against South American targets, including telecommunication providers Claro and Embratel and car rental giant Localiza. 

With the start of the new year, Lapsus$ returned to Europe with three incidents in Portugal in January and early February. While all of their prior endeavors did make headlines, it was in late February 2022 that Lapsus$ truly stepped into the limelight with a large-scale attack on Nvidia. In a reportedly week-long operation, the group acquired one terabyte of data from Nvidia’s systems. Lapsus$ released a sliver of that data, demanding that Nvidia either remove the light hash rate element from its graphics processing units or pay them USD$1 million for this demand to be overlooked. In early March 2022, Lapsus$ released the emails and hashed passwords for tens of thousands of Nvidia employees. 

Also, in early March 2022, South Korean electronics giant Samsung reported a cyberattack in which data was exfiltrated. Samsung issued a statement reassuring the public that no personal data of its customers or employees was compromised by the threat actors. Lapsus$ claimed responsibility for the incident and released the 189 gigabytes of information it had, which Samsung later identified as source code for its iconic Galaxy line of smartphones. On March 10, 2022, Ubisoft experienced a brief disruption to some of its games and services, but nothing was reported stolen from their system; Lapsus$ seems to have been behind that as well. Fast forward to this past week, when Lapsus$ again targeted two more big fish: Microsoft and Okta. In the wake of these back-to-back breaches, the group announced on their Telegram channel that several of its high-profile members will be taking a brief vacation until the end of March. 

How Does Lapsus$ Operate?

Given that Lapsus$ has been around for less than a year and seems to be spearheaded by teenagers, it begs the question: how have they managed to successfully infiltrate so many targets in quick succession, least of all five major corporations? 

A large part of the group’s strategy hinges on social engineering to gain access to legitimate user accounts at their target organizations. Lapsus$ leadership has posted on numerous social media platforms, offering hefty sums of money for employees at specific companies to perform “inside jobs” on the group’s behalf. In one example, a Reddit post promised USD$20,000 per week for any employee at major American telecommunications corporations, such as AT&T and Verizon, interested in completing tasks like SIM swapping. SIM swapping transfers a mobile number from one device to another. Lapsus$ has used this technique to intercept one-time password or multifactor authentication text messages. 

Another social engineering method employed by Lapsus$ is a tried-and-true one: finding personal details about employees and using them in an impersonation scheme on a call with the help desk. Similarly, Lapsus$ operatives have compromised employees’ personal accounts and devices. Once these were breached, they used them to either discover their work credentials or to bypass multifactor authentication methods. If the work password was unknown, then the personal account could be used to enact a password reset. 

Lapsus$ also seeks out access via other means. They have sought out sellers on online forums peddling stole credentials and session tokens. Lapsus$ members have used password stealers, such as the RedLine family of tools, to find credentials and tokens. Once on the network, the threat actor begins a reconnaissance mission, looking for exploitable vulnerabilities and combing code repositories for credentials. Checking publicly available code is another method that Lapsus$ has used to gain its initial foothold in an organization’s network. 

Finally, after hijacking an account privileged enough, the malicious party uses it to access the sought-after data. Data is exfiltrated through this avenue using Virtual Private Server egress points. Alternatively, the threat actor may breach the cloud, create an account linked to that instance, and then alter the configurations to give only that account control over the cloud instance. Following the exfiltration, Lapsus$ operatives have commonly wiped all information from the company servers. A ransom may be set on the stolen data, while, other times, the data is simply shared to the Lapsus$ telegram channel without the demand for payment. 

Microsoft reports that Lapsus$ members have implanted themselves into the organization’s incident response teams following the exfiltration and deletion operation. The company believes that this is one method for the cybercrime group to observe the response strategy and create future game plans around these habits. Microsoft also suggests that Lapsus$ uses these insiders to determine the ransom value, which is based on how knowledgeable the victim is to the scope of the attack. 

Suggestions to Protect Against These Types of Attacks

Lapsus$ uses an unorthodox malware-less ransomware scheme and features a heavy reliance on social engineering campaigns to execute their attacks. Because these do not always follow predictable playbooks, it can be confusing to navigate effective security strategies to protect against them. Here are four best practice recommendations to prepare your company for threats that may echo that of Lapsus$:

1. Hold Regular User Awareness Training

This suggestion may seem obvious, but user awareness training is pivotal in cybersecurity. The human element is simultaneously the first line of defense and the weakest link in the security chain. Regular training will keep security awareness fresh on the minds of employees, making it less likely for them to fall victim to cyberattack campaigns. Additionally, periodic notifications should be posted in work areas or sent out via email to remind staff of safe internet habits.

2. Invest in Logging and Monitoring Tools

Determining what data was accessed and how the hacker managed to reach it, often takes time. This can slow down the incident response, delaying the restoration of business operations and the patching of vulnerable systems. Using effective logging and monitoring tools, such as SIEM and SOAR, increases an organization’s ability to catch malicious activity and to audit user account activity to follow an attacker’s process once inside the network. 

2. Implement Strong Multifactor Authentication

Because Lapsus$ is so adept at leveraging legitimate employee credentials, it is critical to use MFA policies as an added layer of security beyond the basic username and password combination. All employees, regardless of their position within the organization, should be required to use MFA. 

Microsoft recommends a departure from telephone-based authentication, given the Lapsus$ group’s use of SIM swapping. Instead, Microsoft suggests the use of FIDO (Fast IDentity Online) tokens or number matching confirmation using Microsoft Authenticator. These implementations are not susceptible to SIM-jacking, making them a more secure choice of authentication. 

3. Use a Zero Trust Architectural Model

Lapsus$ seeks out ways to elevate their privileges to access more sensitive areas on the network. This is often accomplished by leveraging “superuser” or administrator accounts, which are given more access to data without the need for additional permissions. Instead, implement a Zero Trust model on the network. Zero Trust stands behind a dogma of “never trust, always verify” and requires all users, regardless of their position, to authenticate themselves. This helps to reduce the effects of common problems like privilege creep and prevents threat actors from discovering accounts that can give them access to highly desirable, highly sensitive data. 

The full details on the Microsoft and Okta breach maybe not be known just yet. The group behind the incidents, Lapsus$, is still shrouded in some mystery. What has been discovered about the attack and the group responsible is useful information for understanding new developments in the cyberthreat arena. However, the most important takeaway from these latest episodes featuring Lapsus$ is the need to invest in stronger security implementations, especially when less traditional methods are being used. Following the strategies used by Lapsus$ in these and past attacks, the best defense practices are using strong multifactor authentication, deploying a zero-trust model, investing in logging and monitoring tools, and hosting regular user awareness training. Implementing these methods can help minimize the scope within which threat actors can operate and limit what data can be accessed and exfiltrated.