The hacking group LAPSUS$ has targeted several high-profile victims around the globe. The group claimed their responsibility for stealing data from the targeted victims, such as Microsoft, NVIDIA, Samsung, Okta, etc., posting screenshots and source code in their Telegram channel. Microsoft tracks the LAPSUS$ threat group as DEV-0537. The group is known for using a pure extortion and destruction model without deploying ransomware payloads.
Who is the LAPSUS$ Group?
LAPSUS$ group is a financially motivated mysterious hacking group that first appeared in December 2021. They initially targeted organizations in the UK and South America and confirmed attacks against organizations in the government, technology, telecom, media, retail, and healthcare sectors. The group also takes over individual user accounts to drain holdings at cryptocurrency exchanges.
How Did the LAPSUS$ Group Breach Data?
The actors behind LAPSUS$ focused their social engineering efforts to gather knowledge about their target’s business operations. The group employed different tactics: phone-based social engineering, SIM-swapping to facilitate account takeover, accessing personal email accounts of employees at target organizations, paying employees, suppliers, or business partners of target organizations for access to credentials, and multifactor authentication (MFA) approval and so on and so forth.
Microsoft’s analysis revealed that the group used a diverse set of tactics, techniques, and procedures (TTPs) typically focused on compromising user identities to gain initial access to an organization, including:
- Deploying the malicious Redline password stealer to obtain passwords and session tokens
- Purchasing credentials and session tokens on underground criminal forums
- Paying employees at targeted organizations (or suppliers/business partners) for access to credentials and MFA approval
- Searching public code repositories for exposed credentials
The group accessed internet-facing systems and applications using the compromised credentials or session tokens. These systems most commonly include virtual private network (VPN), remote desktop protocol (RDP), Virtual Desktop Infrastructure (VDI) including Citrix, or Identity providers (including Azure Active Directory, Okta).
The group also used AD Explorer, a publicly available tool, to enumerate all domain users and groups and discovered further high-privilege account credentials to access other sensitive information. The group used DCSync attacks and Mimikatz to perform privilege escalation routines. Once obtaining domain administrator access, the group used the built-in
ntdsutil.exe utility to extract the AD database.
Best Practices to Avoid A Breach by LAPSUS$
Organizations should protect their critical services and defend against identity-based attacks, privilege escalations, and lateral movements through on-premises networks and in the cloud. Additionally, following these best practices can maximize the organization’s resilience to a destructive cyber incident.
How Does Identity Threat Detection Help?
The SingularityTM Identity solution can detect and alert user account enumerations against Active Directory. When attackers query AD to access critical assets in the network, the Singularity Identity endpoint solution prevents them from accessing information from Active Directory by efficiently detecting attack activity targeting it while concealing the production objects and returning fake data in their place. The solution protects domain controllers against attacks originating from any source non-Windows, Internet of Things (IoT) devices. Additionally, the Ranger® Identity Assessor for AD solution offers Active Directory assessment and provides visibility at domain, computer, and user-level exposures.
The Holgram solution deploys deceptive domain accounts and credentials that can lead attackers to decoys. The solution can detect DCSync attacks and uses credential protection functions to block credential dumping tools like Mimikatz.
In addition, the Hologram solution’s cloaking function prevents attackers from accessing critical data or exploiting local files, accounts, and storage locations. The solution hides and denies unauthorized access to local files, folders, removable storage, network or cloud shares, local administrator accounts, and application credentials.
Organizations should take the LAPSUS$ group claims seriously and maintain cyber hygiene regarding securing source code repository; enabling required access rights can avoid being vulnerable to data breaches. Organizations can also deploy Active Directory Protection solutions that provide unprecedented visibility and detect attackers attempting to enumerate AD to perform a DCSync attack.