An in-depth analysis of the activities and capabilities of the Lapsus$ hacking and extortion group found that its members mainly used well-known tactics and techniques in its operations and took advantage of known weaknesses in enterprise networks and the procedures of technology providers in order to gain access to targets and steal sensitive data.
Over the course of about two years, Lapsus$ members infiltrated a number of high-profile targets, including Microsoft, Nvidia, and Okta, often using some combination of social engineering, phishing, credential theft, SIM swapping, and MFA-evasion techniques. In a small number of incidents the actors exploited known vulnerabilities, but most of the time, Lapsus$ members favored simple, easy-to-execute attacks to gain access to their targets. A report released Thursday by the Cyber Safety Review Board shows that Lapsus$ actors relied on old fashioned research, reconnaissance, and simple yet effective tactics to exploit procedural and behavioral weaknesses rather than technical ones.
“The threat actors described in this report leveraged a wide diversity of tactics, techniques, and procedures (TTPs), described by researchers as often mixing both non-complex methods and tools with advanced technical knowledge. The threat actors initiated some attacks by employing common phishing methods or leveraging stolen credentials, which they purchased from initial access brokers (IABs).39 Other attacks demonstrated a deeper familiarity with a target’s business and engineering workflows,” the CSRB report says.
“Generally, the threat actors did not deploy custom tools, preferring well-known tools built by others or “living off the land”. The speed of the attacks and the use of different tools and techniques were notable and, in some cases, appeared automated.”
The CSRB was established by the Biden administration in 2022 to conduct in-depth reviews of significant cyber attacks or incidents. The first incident the board looked into was the Log4j vulnerability, which had a widespread effect on organizations across numerous industries. The Lapsus$ operations is the board’s second investigation. The board comprises government and private-sector experts, including Robert Silvers, the undersecretary of the Department of Homeland Security, Heather Adkins, vice president of security engineering at Google, Katie Moussouris, founder and CEO of Luta Security, and Kemba Walden, the acting national cyber director.
One of the key techniques the Lapsus$ actors employed was a combination of reconnaissance, social engineering, and spear phishing to gather information about employees in a target organization and then craft credible phishing emails that point victims to a site that would steal their corporate credentials. In some cases, the actors also used SIM swaps to take over victims’ mobile accounts, or send repeated MFA prompts to the victims until they approve one. All of these are known techniques used by cybercriminals and even some APT groups, and the CSRB members said that enterprises and government agencies need to renew their focus on the security basics while also moving toward more modern architectures and defensive methods.
“The Board found that organizations with mature, defense-in-depth controls were most resilient to these threat actor groups.”
“We need better technologies that move us towards a passwordless world, negating the effects of credential theft. We need telecommunications providers to design and implement processes and systems that keep attackers from hijacking mobile phone service. We need to double down on zero trust architectures that assume breach. We need organizations to design their security programs to cover not only their own information technology environments, but also those of their vendors that host critical data or maintain direct network access.” the report says.
Fortunately, the CSRB found that organizations that have mature security programs and well-designed incident response procedures fared pretty well against Lapsus$ and other similar groups.
“Lapsus$ was not successful in all its attempted attacks. The Board found that organizations with mature, defense-in-depth controls were most resilient to these threat actor groups. Organizations that used application or token-based MFA methods or employed robust network intrusion detection systems, including rapid detection of suspicious account activity, were especially resilient. Organizations that maintained and followed their established incident response procedures significantly mitigated impacts. Highly effective organizations employed mechanisms such as out-of-band communications that allowed incident response professionals to coordinate response efforts without being monitored by the threat actors,” the report says.
The CSRB also recommended that organizations report cyber incidents to law enforcement as soon as possible and continue to share relevant information with CISA and other agencies during an investigation. This helps not only the specific victim organization, but also other potential victims.
“An organization’s decision not to report limits the U.S. government’s ability to take disruptive action, such as the recovery of ransom payments or the decryption of data, either alone or in partnership with foreign and private sector partners,” the report says.
Several alleged members of the Lapsus$ group were arrested in England and Brazil in 2022 and the group has not really been active since.