• Support
  • Login
  • Contact
  • Blog
  • Support
  • Login
  • Contact
  • Blog
SecurityScorecard SecurityScorecard
  • Products
    PRODUCTS
    • Security Ratings
      Identify security strengths across ten risk factors.
    • Security Data
      Get actionable, data-based insights.
    • Security Assessments
      Automate security questionnaire exchange.
    • Attack Surface Intelligence
      NEW
      On-demand contextualized global threat intelligence.
    • Automatic Vendor Detection
      Uncover your third and fourth party vendors.
    • Cyber Risk Quantification
      Translate cyber risk into financial impact.
    • Reporting Center
      Streamline cyber risk reporting.
    • SecurityScorecard Marketplace
      Discover and deploy pre-built integrations.
    SERVICES
    • Active Security Services
      Test your security controls.
    • Cyber Risk Intelligence
      Partner to obtain meaningful threat intelligence.
    • Digital Forensics & Incident Response
      Prepare to respond to any threat.
    • Third-Party Risk Management
      Reduce risk across your vendor ecosystem.
    BUY NOW
    • Compare All Plans
      Choose a plan that's right for your business.
    • Try Free Account
      Make informed decisions with confidence.
    • Buy Pro Now
      Add automated event responses.
    • Buy Business Now
      Expand on Pro with vendor management and integrations.
    • Request Enterprise Demo
      See the capabilities of an enterprise plan in action.
    icon__SSClogoMark icon__SSClogoMark

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Solutions
    BY USE CASE
    • Compliance
    • Cyber Insurance
    • Digital Forensics
    • Due Diligence
    • Enterprise Cyber Risk
    • Executive-Level Reporting
    • Incident Response
    • Regulatory Oversight
    • Third-Party Risk
    BY INDUSTRY
    • Enterprise
    • Financial Services
    • Government
    • Healthcare
    • Insurance
    • Retail & Consumer
    • Technology
    Help your organization calculate its risk
    View All Solutions
  • Customers
    OUR CUSTOMERS
    • Customer Overview
      Trusted by companies of all industries and sizes.
    • Peer Reviews
      Find out what our customers are saying.
    SUCCESS AND SUPPORT
    • Customer Success
      Receive award-winning customer service.
    • Support
      Get your questions answered by our experts.
    COMMUNITY
    • SecurityScorecard Connect
      Engage in fun, educational, and rewarding activities.
    • Connect Login
      Join our exclusive online customer community.
    icon__SSClogoMark icon__SSClogoMark
    Understand and reduce risk with SecurityScorecard.
    Free account sign up
  • Partners

    Partner Program Overview

    Partner with SecurityScorecard and leverage our global cybersecurity ratings leadership to expand your solution, deliver more value, and win new business.

    Learn more
    • Locate a Partner
      Access our industry-leading partner network.
    • Value-Added Resellers
      Enter new markets, deliver more value, and get rewarded.
    • Managed Service Providers
      Meet customer needs with cybersecurity ratings.
    • ISAC Partner Program
      Learn more about the industries we support and ISAC member benefits.
    • Technology Alliances
      Access innovative solutions from leading providers.
    • SCORE Portal Login
      Use the SCORE Partner Program to grow your business.
    • SecurityScorecard Marketplace
      Find a trusted solution that extends your SecurityScorecard experience.

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Resources
    RESOURCES
    • Resource Center
      Explore our cybersecurity ebooks, data sheets, webinars, and more.
    • SecurityScorecard Blog
      Read the latest blog posts published weekly.
    • Research & Insights Center
      Access our research on the latest industry trends and sector developments.
    • SecurityScorecard Academy
      NEW
      Complete certification courses and earn industry-recognized badges.
    TOOLS AND DOCUMENTATION
    • Free Security Rating
      Get your free ratings report with customized security score.
    • Product Release Notes
      Visit our support portal for the latest release notes.
    • Free Account Signup
      Start monitoring your cybersecurity posture today.
    • Chrome Extension
      NEW
      Show the security rating of websites you visit.
    • Assessments ROI Calculator
      Calculate the ROI of automating questionnaires.
    Trust begins with transparency. Take a look at the data that drives our ratings.
    Learn more
  • Company

    Working at SecurityScorecard

    Committed to promoting diversity, inclusion, and collaboration–and having fun while doing it.

    Join our team
    • About Us
      SecurityScorecard is the global leader in cybersecurity ratings.
    • Leadership
      Meet the team that is making the world a safer place.
    • Press
      Explore our most recent press releases and coverage.
    • Events
      Join us at any of these upcoming industry events.
    • Policy Insights
      Raising the bar on cybersecurity with security ratings.
    • Careers
      APPLY TODAY
      Come join the SecurityScorecard team!
    • Contact Us
      Contact us with any questions, concerns, or thoughts.
    • Trust Portal
      Take an inside look at the data that drives our technology.
    • Help Center
      We are here to help with any questions or difficulties.
Request a demo
SecurityScorecard SecurityScorecard
  • Support
  • Login
  • Contact
  • Blog
  • Support
  • Login
  • Contact
  • Blog
SecurityScorecard SecurityScorecard
  • Products
    PRODUCTS
    • Security Ratings
      Identify security strengths across ten risk factors.
    • Security Data
      Get actionable, data-based insights.
    • Security Assessments
      Automate security questionnaire exchange.
    • Attack Surface Intelligence
      NEW
      On-demand contextualized global threat intelligence.
    • Automatic Vendor Detection
      Uncover your third and fourth party vendors.
    • Cyber Risk Quantification
      Translate cyber risk into financial impact.
    • Reporting Center
      Streamline cyber risk reporting.
    • SecurityScorecard Marketplace
      Discover and deploy pre-built integrations.
    SERVICES
    • Active Security Services
      Test your security controls.
    • Cyber Risk Intelligence
      Partner to obtain meaningful threat intelligence.
    • Digital Forensics & Incident Response
      Prepare to respond to any threat.
    • Third-Party Risk Management
      Reduce risk across your vendor ecosystem.
    BUY NOW
    • Compare All Plans
      Choose a plan that's right for your business.
    • Try Free Account
      Make informed decisions with confidence.
    • Buy Pro Now
      Add automated event responses.
    • Buy Business Now
      Expand on Pro with vendor management and integrations.
    • Request Enterprise Demo
      See the capabilities of an enterprise plan in action.
    icon__SSClogoMark icon__SSClogoMark

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Solutions
    BY USE CASE
    • Compliance
    • Cyber Insurance
    • Digital Forensics
    • Due Diligence
    • Enterprise Cyber Risk
    • Executive-Level Reporting
    • Incident Response
    • Regulatory Oversight
    • Third-Party Risk
    BY INDUSTRY
    • Enterprise
    • Financial Services
    • Government
    • Healthcare
    • Insurance
    • Retail & Consumer
    • Technology
    Help your organization calculate its risk
    View All Solutions
  • Customers
    OUR CUSTOMERS
    • Customer Overview
      Trusted by companies of all industries and sizes.
    • Peer Reviews
      Find out what our customers are saying.
    SUCCESS AND SUPPORT
    • Customer Success
      Receive award-winning customer service.
    • Support
      Get your questions answered by our experts.
    COMMUNITY
    • SecurityScorecard Connect
      Engage in fun, educational, and rewarding activities.
    • Connect Login
      Join our exclusive online customer community.
    icon__SSClogoMark icon__SSClogoMark
    Understand and reduce risk with SecurityScorecard.
    Free account sign up
  • Partners

    Partner Program Overview

    Partner with SecurityScorecard and leverage our global cybersecurity ratings leadership to expand your solution, deliver more value, and win new business.

    Learn more
    • Locate a Partner
      Access our industry-leading partner network.
    • Value-Added Resellers
      Enter new markets, deliver more value, and get rewarded.
    • Managed Service Providers
      Meet customer needs with cybersecurity ratings.
    • ISAC Partner Program
      Learn more about the industries we support and ISAC member benefits.
    • Technology Alliances
      Access innovative solutions from leading providers.
    • SCORE Portal Login
      Use the SCORE Partner Program to grow your business.
    • SecurityScorecard Marketplace
      Find a trusted solution that extends your SecurityScorecard experience.

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Resources
    RESOURCES
    • Resource Center
      Explore our cybersecurity ebooks, data sheets, webinars, and more.
    • SecurityScorecard Blog
      Read the latest blog posts published weekly.
    • Research & Insights Center
      Access our research on the latest industry trends and sector developments.
    • SecurityScorecard Academy
      NEW
      Complete certification courses and earn industry-recognized badges.
    TOOLS AND DOCUMENTATION
    • Free Security Rating
      Get your free ratings report with customized security score.
    • Product Release Notes
      Visit our support portal for the latest release notes.
    • Free Account Signup
      Start monitoring your cybersecurity posture today.
    • Chrome Extension
      NEW
      Show the security rating of websites you visit.
    • Assessments ROI Calculator
      Calculate the ROI of automating questionnaires.
    Trust begins with transparency. Take a look at the data that drives our ratings.
    Learn more
  • Company

    Working at SecurityScorecard

    Committed to promoting diversity, inclusion, and collaboration–and having fun while doing it.

    Join our team
    • About Us
      SecurityScorecard is the global leader in cybersecurity ratings.
    • Leadership
      Meet the team that is making the world a safer place.
    • Press
      Explore our most recent press releases and coverage.
    • Events
      Join us at any of these upcoming industry events.
    • Policy Insights
      Raising the bar on cybersecurity with security ratings.
    • Careers
      APPLY TODAY
      Come join the SecurityScorecard team!
    • Contact Us
      Contact us with any questions, concerns, or thoughts.
    • Trust Portal
      Take an inside look at the data that drives our technology.
    • Help Center
      We are here to help with any questions or difficulties.
Request a demo
SecurityScorecard SecurityScorecard
BLOG

Move aside, Conti, Lapsus$ coming through!

By Ryan Slaney, Staff, Threat Researcher
03/24/2022

The new cybercrime group is claiming some big victims. Is it a sophisticated threat actor…or just script kiddies?

Executive Summary

-In the hours after news broke that Lapsus$ claimed to have breached Okta, an enterprise identity and access management firm, SecurityScorecard’s Threat Research and Intelligence team conducted a rapid investigation into Lapsus$ to provide customers and partners with the very latest in actionable security intelligence and insights related to this emerging cybercrime group.

-Lapsus$’s targets have quickly evolved from Brazilian and Portuguese organizations to high-profile U.S. technology companies with global footprints and large customer bases.

-SSC believes Lapsus$ is gaining initial access to its victims through the use of social engineering, stolen cookies, phishing, and the potential recruitment of employees/insiders of victim organizations. These attack vectors do not require a high amount of technical skill to deploy.

-Lapsus$ directly engages with its Telegram followers to poll which of its victims’ data it should leak next, provide updates, and to answer questions on its activities.

-To date, SSC has not found any evidence of Lapsus$ deploying ransomware or malware to the networks of its victim. Rather, Lapsus$ steals data and holds it hostage. Lapsus$ has also defaced websites and conducted DNS spoofing.

-Microsoft and NVIDIA code signing certificates leaked by Lapsus$ have been successfully used to sign various malware and hacking tools, such as Cobalt Strike, Mimikatz, Quasar RAT, and other backdoors and windows drivers.

Background

Lapsus$ is an emerging cybercrime group that communicates in English and Portuguese.The group’s Telegram channel started on December 10, 2021, however references to the group on online cybercrime forums were observed as early as June 2021 when an actor identifying him/herself as Lapsus$ claimed to have obtained 780 GB of Electronic Arts (EA) data including FIFA 2021 source code, as well as other proprietary EA games and software development kits (SDK). EA confirmed the unnamed hacker group stole the source code for FIFA 21 and related tools, as well as the source code for the Frostbite engine that powers games like Battlefield and other internal game development tools.

Victims

Most Lapsus$ victims have been located in Brazil, the United States, and Portugal. Since its “official” inception in December2021, Lapsus$ has claimed the following organizations as victims:

  • Ministerio da Saude (Brazilian Ministry of Health)

  • Escola Virtual Gov (Brazilian Government Virtual School)

  • Agência Nacional de Transportes Terrestres (Brazilian National Land Transport Agency)

  • Vlibras (Brazilian Government Translation Services)

  • Correios

  • Claro

  • SIC

  • Expresso

  • Localiza

  • Vodafone

  • NVIDIA

  • Samsung

  • Microsoft

  • Okta

On March 1, NVIDIA officials indicated that they were aware that a threat actor stole employee credentials and Nvidia proprietary information, before leaking it online. NVIDIA indicated it did not anticipate any disruption to its business or its ability to serve its customers as a result of the incident. However, the leaked NVIDIA data included two code-signing certificates used by NVIDIA developers to sign their drivers and executables. Although they were expired, Windows still allows them to be used for driver signing purposes, in turn allowing a threat actor to make their malware look like legitimate NVIDIA programs. SecurityScorecard’s analysis of samples uploaded to VirusTotal has revealed that the stolen certificates have been used to sign various malware and hacking tools, such as: Cobalt Strike, Mimikatz, Quasar RAT, and other backdoors and Windows drivers. At posting, SecurityScorecard cannot determine with confidence whether these files were intentionally uploaded by security researchers or were related to legitimate threat activity.

Image 1: VirusTotal Signature Information for NVIDIA Signed Sample

On March 20, Lapsus$ posted a screenshot to its Telegram channel indicating that it hacked Microsoft’s Azure DevOps server containing source code for Bing, Cortana, and various other internal projects.

Image 2: Lapsus$ Screenshot of Azure DevOps Server

The following day, Lapsus$ posted a 9GB 7zip archive containing the source code of more than 250 projects that it said belonged to Microsoft.

Image 3: Lapsus$ Telegram Channel Announcing Leak of Microsoft Source Code

Microsoft has not released an official statement on the apparent leak; however it has stated to several media outlets that it is aware of the claims and is investigating. On March 22, 2022, security researcher Soufiane Tahari posted on his Twitter account evidence of successfully signing an assembly file using a Microsoft certificate leaked by Lapsus$.

Image 4: Example of Microsoft Certificate Used to Sign Assembly File

Additional Twitter posts indicate that the users have been able to customize the signing certificate to sign known threats like mimikatz.exe.

On the same day as the Microsoft leak, Lapsus$ posted a screenshot to support its claim that it had obtained access to an Okta administrative, or “super-user,” account. Okta provides cloud software that allows its 15,000 clients to manage and secure user authentication into applications. Okta tools are also used by developers to build identity controls into applications, websites, and devices. Given Okta’s role as an identity provider, any potential breach of its data could be critical to both Okta and its customers. Okta’s investigation revealed that there was a five-day window in January 2022, when an attacker had access to a support engineer’s laptop. As a result, approximately 2.5% of Okta’s customer base, or 375 customers, have potentially been impacted and whose data may have been “viewed or acted upon.” As of posting, it’s unclear if credentials stolen from Okta led to the compromise of its customers.

Image 5: Lapsus Okta Hack Proof

Lapsus$ is also sharing stolen data, torrents, zip folders, and PDFs from other companies including: LGE, Samsung, Huawei, Alcatel, and others.

Image 6: Lapsus$ LGE Hash Dump Announcement

Communications

Unlike other ransomware gangs, Lapsus$ does not use an onion site (TOR) for its data leak platform, but instead uses Telegram. Its official channel can be found at t[.]me/saudechat. Here, Lapsus$ posts about its new victims, new targets, upcoming leaks, and questions to users reading its activities. Prior to officially posting a leak, operators leak a small sample of sensitive data to add credibility to its claimed attacks. Lapsus$ has also used other Telegram channels including t[.]me/minsaudebr and t[.]me/lapsus_news_nvidia_samsung.

On March 6, Lapsus$ conducted a poll via Telegram to ask followers which one of three companies’ data it should leak next. On the day of collection there have been 13.9K votes. SecurityScorecard assesses that Lapsus$’s use of this type of polling demonstrates an eagerness for attention, but may also be a more passive method of enticing victims to negotiate.

Image 7: Lapsus$ Telegram Poll

Lapsus$ has also used this channel to provide updates on its various campaigns. For example, on March 8, Lapsus made the following post to explain why the leak of the NVIDIA data had been delayed:

Image 8: Lapsus$ Explanation of NVIDIA Data Leak Delay

This content was deleted soon after posting, suggesting Lapsus$ members could not agree on an appropriate ransom for NVIDIA’s data. These internal frustrations resulted in the public blaming of one of Lapsus$’s own members. This also suggests that the group does not fully understand business dynamics and what impacts an organization’s ability to pay ransoms. It also indicates to SecurityScorecard researchers that Lapsus$ is not well-organized or properly led in its current incarnation.

That said, Lapsus$ is showing some media savvy and chutzpah by trolling Okta openly on social media, and suggesting their breach extends past Okta’s public statements.

Image 9: Lapsus$ Response to Okta

Initial Access

Evidence exists that Lapsus$ relies more on social engineering and less technical attack vectors than those used by traditional threat actors. According to Vice News article, a representative for the hackers that stole EA’s data admitted that the group purchased stolen cookies to gain access to the Slack channel used by EA. Once inside the chat, hackers used social engineering to trick IT support into providing them with a new multifactor authentication token for a new device under their control. Once inside EA’s network, the hackers were eventually able to locate and download source code.

There is more evidence to suggest Lapsus$ is using Slack as a possible attack vector in relation to the Okta breach. On its Telegram channel, Lapsus$ claimed that Okta was storing AWS keys in Slack and joked that for a company that supports zero-trust, Okta’s support engineers shouldn’t have access to 8,600 Slack channels. If this claim is true, Lapsus$ would need to have access to Okta’s Slack. It’s possible that–much like the EA compromise-Lapsus$ gained initial access to Okta via Slack, with the possible use of stolen cookies and/or social engineering.

One possible attack vector of interest is through the recruitment of willing employees/insiders to provide access to the victim companies. On March 10, Lapsus$ posted the following request, offering payment for employees of specific companies in exchange for Citrix or VPN credentials:

Image 10: Lapsus$ Recruitment Campaign

At posting, SecurityScorecard is unable to independently verify if the recruitment of an insider/employee has resulted in a successful leak. We assess that this approach could be an indication of Lapsus$’s inability or unwillingness to conduct technical attacks, and they would rather rely on a disgruntled or financially motivated insider/employee to provide access or information. This approach isn’t unique to Lapsus$, as other threat groups, such as LockBit, have previously called on insiders for access in return for large sums of money.

SecurityScorecard also has evidence that Lapsus$ conducted phishing attacks on users of British mobile telecom providers, EE and Orange. Users reported receiving phishing texts from Lapsus$, advising that Lapsus$ had the users data and demanded $4 million USD worth of Monero digital currency to delete it.

Image 11: Lapsus$ Phishing Text Message

Attribution

To date, Lapsus$ has not taken a political stance or claimed any state sponsorship. It is speculated that the group is based in Latin America, likely Brazil, due to the targeting of Brazilian government organizations and companies, and the use of Brazilian Portuguese in its Telegram channel. However, there is evidence that at least one Lapsus$ operator may be located in the UK. According to a report released by DarkOwl, a weather widget shown in one of the screenshots provided by Lapsus$ to confirm its access to a compromised network showed the temperature was 4 degrees Celsius at 21:56 on December 25, 2021. DarkOwl indicated that Brazil did not have those weather conditions at that time/date, but London did. Furthermore, in January 2022, a dox posted to Doxbin suggested a high ranking Lapsus$ member was actually a 16-year-old teenager residing in Kidlington, UK who regularly used the pseudonym(s) SigmA, wh1te, and Breachbase in the underground. The dox may have been leaked in retaliation after Lapsus$ shared hacked internal docs from Doxbin on their Telegram channel on January 5.

Key Insights

According to SecurityScorecard research there is no evidence that demonstrates Lapsus$ has used malware to gain access to its victims network, nor has it deployed any kind of ransomware.

There is evidence that Lapsus$ has gained access to its victims via Slack channels used by the victim, through the use of stolen cookies and social engineering.

Lapsus$ has a history of making unrealistic demands in exchange for its stolen data. Lapsus$ doesn’t seem to be able to determine an appropriate ransom amount for the data it has stolen, nor does it appear to give its victims much time to negotiate a payment in exchange for not leaking information.

This leads to two potential scenarios: One, Lapsus$ members are immature and unprofessional. Or, two, Lapsus$ members are not financially motivated, and make unrealistic demands knowing their victims won’t pay, so they can then gain attention and infamy by leaking data from high profile companies.

Lapsus$ is not a technically sophisticated threat actor, and is not likely to deploy malware, or rely on highly technical attack vectors to gain access to victim networks. It’s more likely to conduct social engineering and phishing attacks to gain initial access to its victims’ networks.

Outlook

Regardless of Lapsus$’s less sophisticated and noisy approach, its techniques appear to be successful in causing disruption. However, it’s unclear if Lapsus$ has ever successfully received payment in exchange for data it has stolen. Ultimately, this will inject tension into the group as law enforcement and cybersecurity researchers discover and expose more of their activities. As this pressure increases and Lapsus$ lacks financial gain from its illegal activities, Lapsus$ actors SecurityScorecard believes it likely that members will start questioning their own involvement in the group, and even ultimately leave.

SecurityScorecard will continue to monitor Lapsus$ activities.

Key Recommendations and Mitigation Strategies

  • If you are an Okta customer, please refer to the latest official guidance issued by Okta.

  • Do not trust any drivers signed by certificates using serials 43BB437D609866286DD839E1D00309F5 or 14781bc862e8dc503a559346f5dcc518.

  • Train your users to recognize social engineering attacks.

  • Do not store credentials in Slack conversations.

Return to Blog
Join us in making the world a safer place.
FREE ACCOUNT SIGN UP
Products
Solutions
Customers
Marketplace
Partners
Resources
Company
Trust Portal
Security Ratings
Login
Blog
Contact
Careers

SecurityScorecard
Tower 49
12 E 49th St
Suite 15-100
New York, NY 10017

[email protected]

United States: (800) 682-1701
International: +1(646) 809-2166
Social-linkedin Social-facebook Twitter Instagram Youtube