The new cybercrime group is claiming some big victims. Is it a sophisticated threat actor…or just script kiddies?
Executive Summary
-In the hours after news broke that Lapsus$ claimed to have breached Okta, an enterprise identity and access management firm, SecurityScorecard’s Threat Research and Intelligence team conducted a rapid investigation into Lapsus$ to provide customers and partners with the very latest in actionable security intelligence and insights related to this emerging cybercrime group.
-Lapsus$’s targets have quickly evolved from Brazilian and Portuguese organizations to high-profile U.S. technology companies with global footprints and large customer bases.
-SSC believes Lapsus$ is gaining initial access to its victims through the use of social engineering, stolen cookies, phishing, and the potential recruitment of employees/insiders of victim organizations. These attack vectors do not require a high amount of technical skill to deploy.
-Lapsus$ directly engages with its Telegram followers to poll which of its victims’ data it should leak next, provide updates, and to answer questions on its activities.
-To date, SSC has not found any evidence of Lapsus$ deploying ransomware or malware to the networks of its victim. Rather, Lapsus$ steals data and holds it hostage. Lapsus$ has also defaced websites and conducted DNS spoofing.
-Microsoft and NVIDIA code signing certificates leaked by Lapsus$ have been successfully used to sign various malware and hacking tools, such as Cobalt Strike, Mimikatz, Quasar RAT, and other backdoors and windows drivers.
Background
Lapsus$ is an emerging cybercrime group that communicates in English and Portuguese.The group’s Telegram channel started on December 10, 2021, however references to the group on online cybercrime forums were observed as early as June 2021 when an actor identifying him/herself as Lapsus$ claimed to have obtained 780 GB of Electronic Arts (EA) data including FIFA 2021 source code, as well as other proprietary EA games and software development kits (SDK). EA confirmed the unnamed hacker group stole the source code for FIFA 21 and related tools, as well as the source code for the Frostbite engine that powers games like Battlefield and other internal game development tools.
Victims
Most Lapsus$ victims have been located in Brazil, the United States, and Portugal. Since its “official” inception in December2021, Lapsus$ has claimed the following organizations as victims:
Ministerio da Saude (Brazilian Ministry of Health)
Escola Virtual Gov (Brazilian Government Virtual School)
Agência Nacional de Transportes Terrestres (Brazilian National Land Transport Agency)
Vlibras (Brazilian Government Translation Services)
Correios
Claro
SIC
Expresso
Localiza
Vodafone
NVIDIA
Samsung
Microsoft
Okta
On March 1, NVIDIA officials indicated that they were aware that a threat actor stole employee credentials and Nvidia proprietary information, before leaking it online. NVIDIA indicated it did not anticipate any disruption to its business or its ability to serve its customers as a result of the incident. However, the leaked NVIDIA data included two code-signing certificates used by NVIDIA developers to sign their drivers and executables. Although they were expired, Windows still allows them to be used for driver signing purposes, in turn allowing a threat actor to make their malware look like legitimate NVIDIA programs. SecurityScorecard’s analysis of samples uploaded to VirusTotal has revealed that the stolen certificates have been used to sign various malware and hacking tools, such as: Cobalt Strike, Mimikatz, Quasar RAT, and other backdoors and Windows drivers. At posting, SecurityScorecard cannot determine with confidence whether these files were intentionally uploaded by security researchers or were related to legitimate threat activity.
Image 1: VirusTotal Signature Information for NVIDIA Signed Sample
On March 20, Lapsus$ posted a screenshot to its Telegram channel indicating that it hacked Microsoft’s Azure DevOps server containing source code for Bing, Cortana, and various other internal projects.
Image 2: Lapsus$ Screenshot of Azure DevOps Server
The following day, Lapsus$ posted a 9GB 7zip archive containing the source code of more than 250 projects that it said belonged to Microsoft.
Image 3: Lapsus$ Telegram Channel Announcing Leak of Microsoft Source Code
Microsoft has not released an official statement on the apparent leak; however it has stated to several media outlets that it is aware of the claims and is investigating. On March 22, 2022, security researcher Soufiane Tahari posted on his Twitter account evidence of successfully signing an assembly file using a Microsoft certificate leaked by Lapsus$.
Image 4: Example of Microsoft Certificate Used to Sign Assembly File
Additional Twitter posts indicate that the users have been able to customize the signing certificate to sign known threats like mimikatz.exe.
On the same day as the Microsoft leak, Lapsus$ posted a screenshot to support its claim that it had obtained access to an Okta administrative, or “super-user,” account. Okta provides cloud software that allows its 15,000 clients to manage and secure user authentication into applications. Okta tools are also used by developers to build identity controls into applications, websites, and devices. Given Okta’s role as an identity provider, any potential breach of its data could be critical to both Okta and its customers. Okta’s investigation revealed that there was a five-day window in January 2022, when an attacker had access to a support engineer’s laptop. As a result, approximately 2.5% of Okta’s customer base, or 375 customers, have potentially been impacted and whose data may have been “viewed or acted upon.” As of posting, it’s unclear if credentials stolen from Okta led to the compromise of its customers.
Image 5: Lapsus Okta Hack Proof
Lapsus$ is also sharing stolen data, torrents, zip folders, and PDFs from other companies including: LGE, Samsung, Huawei, Alcatel, and others.
Image 6: Lapsus$ LGE Hash Dump Announcement
Communications
Unlike other ransomware gangs, Lapsus$ does not use an onion site (TOR) for its data leak platform, but instead uses Telegram. Its official channel can be found at t[.]me/saudechat. Here, Lapsus$ posts about its new victims, new targets, upcoming leaks, and questions to users reading its activities. Prior to officially posting a leak, operators leak a small sample of sensitive data to add credibility to its claimed attacks. Lapsus$ has also used other Telegram channels including t[.]me/minsaudebr and t[.]me/lapsus_news_nvidia_samsung.
On March 6, Lapsus$ conducted a poll via Telegram to ask followers which one of three companies’ data it should leak next. On the day of collection there have been 13.9K votes. SecurityScorecard assesses that Lapsus$’s use of this type of polling demonstrates an eagerness for attention, but may also be a more passive method of enticing victims to negotiate.
Image 7: Lapsus$ Telegram Poll
Lapsus$ has also used this channel to provide updates on its various campaigns. For example, on March 8, Lapsus made the following post to explain why the leak of the NVIDIA data had been delayed:
Image 8: Lapsus$ Explanation of NVIDIA Data Leak Delay
This content was deleted soon after posting, suggesting Lapsus$ members could not agree on an appropriate ransom for NVIDIA’s data. These internal frustrations resulted in the public blaming of one of Lapsus$’s own members. This also suggests that the group does not fully understand business dynamics and what impacts an organization’s ability to pay ransoms. It also indicates to SecurityScorecard researchers that Lapsus$ is not well-organized or properly led in its current incarnation.
That said, Lapsus$ is showing some media savvy and chutzpah by trolling Okta openly on social media, and suggesting their breach extends past Okta’s public statements.
Image 9: Lapsus$ Response to Okta
Initial Access
Evidence exists that Lapsus$ relies more on social engineering and less technical attack vectors than those used by traditional threat actors. According to Vice News article, a representative for the hackers that stole EA’s data admitted that the group purchased stolen cookies to gain access to the Slack channel used by EA. Once inside the chat, hackers used social engineering to trick IT support into providing them with a new multifactor authentication token for a new device under their control. Once inside EA’s network, the hackers were eventually able to locate and download source code.
There is more evidence to suggest Lapsus$ is using Slack as a possible attack vector in relation to the Okta breach. On its Telegram channel, Lapsus$ claimed that Okta was storing AWS keys in Slack and joked that for a company that supports zero-trust, Okta’s support engineers shouldn’t have access to 8,600 Slack channels. If this claim is true, Lapsus$ would need to have access to Okta’s Slack. It’s possible that–much like the EA compromise-Lapsus$ gained initial access to Okta via Slack, with the possible use of stolen cookies and/or social engineering.
One possible attack vector of interest is through the recruitment of willing employees/insiders to provide access to the victim companies. On March 10, Lapsus$ posted the following request, offering payment for employees of specific companies in exchange for Citrix or VPN credentials:
Image 10: Lapsus$ Recruitment Campaign
At posting, SecurityScorecard is unable to independently verify if the recruitment of an insider/employee has resulted in a successful leak. We assess that this approach could be an indication of Lapsus$’s inability or unwillingness to conduct technical attacks, and they would rather rely on a disgruntled or financially motivated insider/employee to provide access or information. This approach isn’t unique to Lapsus$, as other threat groups, such as LockBit, have previously called on insiders for access in return for large sums of money.
SecurityScorecard also has evidence that Lapsus$ conducted phishing attacks on users of British mobile telecom providers, EE and Orange. Users reported receiving phishing texts from Lapsus$, advising that Lapsus$ had the users data and demanded $4 million USD worth of Monero digital currency to delete it.
Image 11: Lapsus$ Phishing Text Message
Attribution
To date, Lapsus$ has not taken a political stance or claimed any state sponsorship. It is speculated that the group is based in Latin America, likely Brazil, due to the targeting of Brazilian government organizations and companies, and the use of Brazilian Portuguese in its Telegram channel. However, there is evidence that at least one Lapsus$ operator may be located in the UK. According to a report released by DarkOwl, a weather widget shown in one of the screenshots provided by Lapsus$ to confirm its access to a compromised network showed the temperature was 4 degrees Celsius at 21:56 on December 25, 2021. DarkOwl indicated that Brazil did not have those weather conditions at that time/date, but London did. Furthermore, in January 2022, a dox posted to Doxbin suggested a high ranking Lapsus$ member was actually a 16-year-old teenager residing in Kidlington, UK who regularly used the pseudonym(s) SigmA, wh1te, and Breachbase in the underground. The dox may have been leaked in retaliation after Lapsus$ shared hacked internal docs from Doxbin on their Telegram channel on January 5.
Key Insights
According to SecurityScorecard research there is no evidence that demonstrates Lapsus$ has used malware to gain access to its victims network, nor has it deployed any kind of ransomware.
There is evidence that Lapsus$ has gained access to its victims via Slack channels used by the victim, through the use of stolen cookies and social engineering.
Lapsus$ has a history of making unrealistic demands in exchange for its stolen data. Lapsus$ doesn’t seem to be able to determine an appropriate ransom amount for the data it has stolen, nor does it appear to give its victims much time to negotiate a payment in exchange for not leaking information.
This leads to two potential scenarios: One, Lapsus$ members are immature and unprofessional. Or, two, Lapsus$ members are not financially motivated, and make unrealistic demands knowing their victims won’t pay, so they can then gain attention and infamy by leaking data from high profile companies.
Lapsus$ is not a technically sophisticated threat actor, and is not likely to deploy malware, or rely on highly technical attack vectors to gain access to victim networks. It’s more likely to conduct social engineering and phishing attacks to gain initial access to its victims’ networks.
Outlook
Regardless of Lapsus$’s less sophisticated and noisy approach, its techniques appear to be successful in causing disruption. However, it’s unclear if Lapsus$ has ever successfully received payment in exchange for data it has stolen. Ultimately, this will inject tension into the group as law enforcement and cybersecurity researchers discover and expose more of their activities. As this pressure increases and Lapsus$ lacks financial gain from its illegal activities, Lapsus$ actors SecurityScorecard believes it likely that members will start questioning their own involvement in the group, and even ultimately leave.
SecurityScorecard will continue to monitor Lapsus$ activities.
Key Recommendations and Mitigation Strategies
If you are an Okta customer, please refer to the latest official guidance issued by Okta.
Do not trust any drivers signed by certificates using serials 43BB437D609866286DD839E1D00309F5 or 14781bc862e8dc503a559346f5dcc518.
Train your users to recognize social engineering attacks.
Do not store credentials in Slack conversations.