Who is Lapsus$?
Lapsus$, also tracked by Microsoft’s Threat Intelligence Center (MSTIC) as DEV-0537, is a relatively new English/Portuguese online extortion group that gained notoriety after attacking Brazil’s Ministry of Health on December 10, 2021. This operator is believed to operate out of South America, likely Brazil, and targets large organizations. The group aims to ransom organizations if its demands aren’t met. Lapsus$ does not appear to encrypt data only to exfiltrate it from the organizations. The group shares its exploits on Telegram instead of the more popular darkweb forums that many threat groups use. Lapsus$ is a highly sophisticated threat group, but claims no affiliation to any state or political agenda. Lapsus$’s breaches include the following companies:
- Brazilian Ministry of Health 50TB
- Vodafone Portugal
- Nvidia 1TB
- Samsung 200GB
- Ubisoft
- Microsoft 37GB
- Okta
- LG Electronics
Lapsus$’s Cybercrime Tactics
Lapsus$ is known for a purely destructive model. The group does not deploy ransomware payloads. It is also notorious for account takeovers at crypto currency exchanges to drain the account of all holdings. The following are tactics that Lapsus$ has employed:
- SIM-swapping to facilitate account takeover
- Phone-based social engineering
- Buying stolen credentials from underground forums and searching dumps for credentials that can be exploited to gain access to accounts
- Accessing personal email accounts of employees at target organizations
- Paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval
- Exploiting public-facing Remote Desktop Protocol (RDP)
- Deploying phishing emails to gain access to accounts and networks
What Happened in the Microsoft Breach?
Lapsus$ has leaks include source code from a Microsoft DevOps Azure account. The source code was for Bing, Bing Maps, and Cortana.
What Are the Indicators of Compromise (IOCs)?
Lapsus$’s IOCs include the Redline password stealer, logins to public systems from different locations than expected on accounts, and continuous MFA alerts via session replay attacks to tire the user into allowing the login. Lapsus$ will then utilize AD Explorer a Microsoft tool to find accounts with higher privileges and target collaboration platforms.
Remediation Tactics
Microsoft’s security teams have posted a blog post detailing Lapsus$’s threat and remediation/prevention techniques. The following preventative measures should be used to protect your organization from Lapsus$:
- Strengthen MFA implementation
- Require Healthy and Trusted Endpoints
- Leverage modern authentication options for VPNs
- Strengthen and monitor your cloud security posture
- Improve awareness of social engineering attacks
- Establish operational security processes in response to DEV-0537 intrusions