- hello@group8.co
- 12 Marina View, Singapore
Cybercrime group LAPSUS$ has made headlines as of late due to their prolific and high-profile cyber attacks on big-name tech companies like Nvidia, Microsoft, T-Mobile, Samsung, and more. Like other cybercrime groups, their goal is to make off with sensitive data and extort their victims by threatening to leak what they have stolen. However, what separates them from other ransomware groups is their method of operation which does away with using custom malware or other novel approaches. Instead, they primarily use simple, creative, and highly-effective social engineering techniques to accomplish their objectives.
For example, they have been quite adept at targeting peripheral users to gain an initial foothold in their targets’ private networks. Furthermore, they employ privilege escalation techniques and go beyond emails to exploit other communication mediums such as Slack (where carrying out social engineering on employees is much easier) to find sensitive data and escalate their attack.
In the case of Nvidia, LAPSUS$ broke into their internal network and exfiltrated volumes of their proprietary data that included trade secrets, hashed login credentials, and information about the chips they are developing. Moreover, they claim to have gained access to thousands of credentials of Nvidia employees. According to Specops, the approximate number of passwords compromised was 30,000.
All in all, the frequency of recent LAPSUS$ attacks signals the rise of cyber extortion, wherein cybercriminals are no longer satisfied with conventional ransomware attacks but are rather interested in stealing valuable intellectual property and threatening to leak them if a ransom is not paid.
Below, we share five of LAPSUS$’s tactics businesses should learn from to better protect themselves.
LAPSUS$ actively recruits insider help, including contractors and employees, to provide MFA codes and other credentials as well as to install tools like AnyDesk and similar remote management software. Their efforts have been confirmed to be successful, according to Microsoft.
The growing threat of insider recruitment is becoming problematic, with many other cybercriminal groups following suit. Ransomware gangs like DemonWare and LockBit 2.0 are a few examples of others adopting this strategy.
Although malicious insiders pose a grave security threat, companies can take steps to reduce their risk starting with heightening employee access controls and monitoring. They have the means to detect abnormal network activity like large downloads or file transfers and monitor for red flags in all their communication channels.
As attackers continue to seek paths of less resistance that bypass tough corporate security, supply chain attacks become more frequent. When companies are reassessing their relationships with third-party partners, it is vital to focus on the human risk factor and not just on the systems and technologies involved.
LAPSUS$ specifically targeted the low-level employees of business partners connected to large organisations. They particularly target help desks and customer support call centres in preparation for launching their social engineering attacks. Despite these vendors not ranking high on the target company’s security threat programme, they are clearly enough to gain the foothold they need. This is what occurred in the Okta breach wherein LAPSUS$ infiltrated their systems using a compromised employee account from a customer service provider.
Credential theft is a long-running issue that has largely been centred around emails and remote desktop protocol (RDP), but LAPSUS$ has demonstrated how attacks can take a more roundabout route by starting from personal emails and messaging channels and working inward from there.
For instance, upon accessing an organisation's Slack channel, hackers can sift through old information and files shared between members and be in an ideal position to launch social engineering attacks, specifically conversation hijacking methods.
After establishing their foothold inside a network, LAPSUS$ will then seek to escalate their privileges within it via two main tactics. The first entails scanning for unpatched vulnerabilities within internal systems and looking for any company secrets found in employee-accessible resources like their messaging systems and internal code repositories. The second involves social engineering by persuading parties such as internal support to reset the password of an account with higher privileges.
LAPSUS$ and other similar groups exploit session cookies to access messaging clients, emails, and other accounts without using passwords. Termed pass-the-cookie attacks, these pose a problem for companies since they nullify the most basic protection for remote workers and user accounts - multi-factor authentication. In dark web marketplaces, stolen session cookies are relatively easy to find and are often inexpensive. These stolen cookies caused the cyber attack on Electronic Arts back in 2021, which allowed hackers to break into the company’s Slack channel and use social-engineering attacks that led to a successful data breach.
Cybercrime groups like LAPSUS$ continue to exploit hidden blind spots in the cybersecurity defences of renowned giants in the tech industry. To better prevent these kinds of attacks, organisations should look to implement a zero-trust policy and security programme and stronger access controls for all staff to minimise the damage from an account takeover attack and insider recruitment. Lastly, employees should have periodic security awareness training to inform them of today's emerging social engineering tactics.
With cyberattacks becoming more sophisticated by the day, there is no better time than now to improve your security posture and fortify it against a new wave of threats inspired by the LAPSUS$ group. At GROUP8, our pen tests in Singapore can help identify your organisation’s blind spots to be patched up before others can exploit them. Driven by the need for top-notch security and offensive approaches to solutions, we also offer an entire ecosystem of robust cybersecurity solutions that improves your overall cybersecurity posture. For more information, do not hesitate to contact us at hello@group8.co today.