LAPSUS$ breach: Guidance and recommendations

A ransom-seeking group made headlines this week after the news broke that authentication provider Okta had been compromised. A number of breaches have been attributed to this group dubbed ‘LAPSUS$’. The group utilise an extortion and destruction model without deploying ransomware payloads and have been targeting organisations in the United Kingdom and South America, including government, technology, telecom, media, retail, and healthcare sectors.

Reports have since emerged that the British Police arrested several members of the group. Seven people between the ages of 16 and 21 have been arrested so far.

While this group displays amateur working methods, thus far, Microsoft, NVIDIA, Samsung, Vodafone, Ubisoft and, most recently, Okta, have all confirmed breaches linked to the threat group. Unlike other groups, LAPSUS$ are extremely public and do not seem to take precautions to cover their tracks, announcing their attacks on social media, often revealing information on how the group operate.

The group utilise the following tactics:

• Phone-based social engineering
• SIM-swapping to facilitate account takeover
• Accessing personal email accounts of employees at target organisations
• Paying employees, suppliers, or business partners of target organisations for access to credentials and multifactor authentication (MFA) approval
• Intruding the ongoing crisis-communication calls of their targets
• LAPSUS$ also spend time to uncover intimate information about employees, team structures, help desks, crisis response workflows, and supply chain relationships to utilise towards their social engineering tactics, which includes the spamming of a target user with multifactor authentication (MFA) prompts and calling the organisation’s help desk to reset a target’s credentials.

The overall objective of LAPSUS$ is to gain elevated access via stolen credentials that enable data theft and destructive attacks, often resulting in extortion. While the group displays a low level of sophistication, their success rate displays the power of reconnaissance, social engineering and the successful employment of an insider.

Our Threat Intelligence team have observed a notable uptick in groups now recruiting employees to disseminate attacks, including the ransom-your-employer tactic, which has been adopted by Lockbit2.0.

This group’s intense use of social engineering tactics makes user awareness a priority in defence. Our recommendation is to educate your technical team to be observant of any unusual contacts with colleagues and IT help desks should be hypervigilant regarding suspicious users and ensure that they are tracked and reported immediately.

We also recommend reviewing help desk policies for password resets for highly privileged users and executives to take social engineering into consideration.

Teach employees about help desk verification practices, encouraging users to report suspicious or unusual contact from the help desk

Additionally, a robust MFA implementation is crucial towards defending against The LAPSUS$ group. Weak MFA, such as text messaged based MFA is not effective due to their use of SIM swapping. MFA should be implemented for all users coming from all locations including perceived trusted environments, and all internet-facing infrastructure–even those coming from on-premises systems.

For more information on emerging threats and cyber-criminal activity, subscribe to our Threat Set Radio Podcast for weekly updates and insights.