A relatively new cybercriminal group has quickly gained an infamous reputation for its unique tactics and successful attacks against several major organizations. Known as Lapsus$, the gang uses social engineering to target its victims and has reportedly hit such companies as Samsung, Okta, NVIDIA and Microsoft. In a blog post published Tuesday, Microsoft provides insight into the group’s tactics and techniques and offers tips on how to protect your organization from these attacks.
SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)
Lapsus$, also dubbed DEV-0537 by Microsoft, uses an extortion and destruction model of attack without relying on the typical ransomware payloads. To take advantage of potential victims, the group employs several types of social engineering schemes.
Tactics of Lapsus$
As one tactic, Lapsus$ uses phone-based social engineering via SIM-swapping to compromise a victim’s phone. With SIM-swapping, a criminal convinces or even pays off an employee at a mobile carrier to change the victim’s phone number to a SIM card owned by the attacker. Any multi-factor authentication requests are then directed to the criminal’s phone via a call or text, allowing them to take over the victim’s account.
As another tactic, Lapsus$ will compromise someone’s personal or private accounts as a way to gain access to their work-related accounts. An employee will often use their personal accounts or phone number as a method for password recovery or for MFA, opening the door for a criminal to reset a password or take over an account.
In some cases, members of the gang will call an organization’s help desk and try to persuade the support representative to reset the credentials for a privileged account. To appear more convincing, the group uses any information previously gathered about the account and has an English-speaking person talk to the help desk rep.
In yet another tactic, Lapsus$ seeks out employees and business partners willing to provide access to account credentials and MFA details for payment. Microsoft’s blog includes an example of a Lapsus$ advertisement looking for employees at call centers, mobile carriers and large corporations willing to share VPN or Citrix access to a network for money.
Beyond these social engineering tricks, Lapsus$ carries out more traditional methods of gaining access to accounts, networks and other sensitive assets. The group will purchase credentials and tokens from forums on the Dark Web, scan public code repositories for exposed credentials, and use a password stealer known as Redline to capture passwords and tokens.
Further, Lapsus$ will attempt to exploit security flaws in web-based tools such as Confluence, JIRA and GitLab, according to Microsoft. By compromising the servers hosting these tools, the group tries to obtain the credentials of a privileged account and then uses a built-in Microsoft command known as ntdsutil to extract the Active Directory database of a targeted network.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
In the same vein, Lapsus$ uses an Active Directory tool called AD Explorer to collect the names of all the users and groups in a network domain. Determining which accounts have higher privileges, the group then searches platforms such as SharePoint, Confluence, JIRA, GitLab and GitHub to find even more high-privilege account credentials through which it can access additional sensitive data.
Emerging in December 2021, Lapsus$ initially targeted telecommunication, higher education and government organizations in South America, Microsoft said. These early attacks often compromised cryptocurrency accounts to steal their digital wallets. Since then, the group has expanded its reach around the world, hitting organizations in manufacturing, retail, healthcare and other sectors.
One of the gang’s more public victims has been Microsoft itself. The company said it found a single account that had been compromised by Lapsus$, giving the group limited access. Though Lapsus$ claimed that it exfiltrated portions of source code, Microsoft said it found no code or data exposed in the compromise.
How to avoid being a victim of Lapsus$
To help organizations protect themselves against attacks Lapsus$, Microsoft offers the following advice:
- Require MFA. Though the SIM-swapping tactic used Lapsus$ is designed to thwart MFA, this type of authentication is still a must. MFA should be required for all users from all locations, including those from trusted locations and on-premises systems.
- Avoid telephone-based and SMS-based MFA. In light of the methods employed by Lapsus$, don’t rely on MFA that uses a phone call or SMS message to authenticate a user. Instead, turn to more secure methods such as FIDO Tokens or Microsoft Authenticator with number matching.
- Use Azure AD password protection. This type of protection ensures that users aren’t relying on simple or easy-to-guess passwords. For more details, check out Microsoft’s blog post on about password spray attacks.
- Take advantage of other password authentication tools. Such methods as Windows Hello for Business, Microsoft Authenticator and FIDO tokens can reduce some of the risks with passwords.
- Review your VPN authentication. To handle risk-based sign-in detection, your VPN authentication should take advantage of such options as OAuth or SAML connected to Azure AD. This type of VPN authentication has proven effective against attacks by Lapsus$, according to Microsoft.
- Monitor and review your cloud security. This means reviewing your Conditional Access user and session risk configurations, implementing alerts on any high-risk modifications on a tenant configuration, and looking at risk detections in Azure AD Identity Protection.
- Educate all employees about social engineering attacks. Educate your IT and help desk staff to watch out for suspicious users and unusual communications with colleagues. Review help desk policies on password resets, especially those for highly privileged users. Further, encourage users to report any suspicious or unusual communications from the help desk.
- Set up security processes in response to possible Lapsus$ intrusions. Lapsus$ monitors incident response communications as one of its tactics. As a result, you should monitor these types of communication channels for any unauthorized attendees or access.