Lapsus$ Update: How This Technically Unsophisticated Threat Actor Group Breaches Large Organizations
On December 2, 2022, the US Department of Homeland Security (DHS) announced that its Cyber Safety Review Board would review attacks linked to the Lapsus$ threat actor group. Following this announcement, the SecurityScorecard Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team updated itsanalysis of the group.
STRIKE has identified specific tactics associated with Lapsus$, such as exploitation of multi-factor authentication (MFA) fatigue, as well as the distribution of the Redline information-stealing malware (“infostealer”) to collect the credentials of target organizations.
STRIKE discovered recent samples of malware that enable password theft (an established Lapsus$ tactic) signed using a certificate serial stolen by the group. This could mean that other threat actors are using malware signed with certificates stolen and leaked by Lapsus$, but it may also indicate that Lapsus$ affiliates have continued to distribute RedLine even when Lapsus$ doesn’t claim responsibility for it.
It is by now a trite observation, but one that bears repeating: in cybersecurity, humans are often organizations’ greatest vulnerabilities. Few of 2022’s cybersecurity incidents illustrate this as well as the attacks (and resulting data leaks) claimed by the Lapsus$ group (also tracked by Microsoft as DEV-0537). As STRIKE researchers previously assessed in March 2022 (when the group was first making headlines), Lapsus$ has employed fairly unsophisticated social engineering techniques (phishing and the recruitment of insiders) when initially accessing target organizations.
While the group’s methods may lack sophistication, they have nonetheless resulted in breaches at large and ostensibly well-defended organizations. The group’s Telegram channel (its main mode of communication) started on December 10, 2021, but references to the group in cybercrime forums appeared as early as June 2021 when a forum member named “Lapsus$” claimed to have obtained 780 GB of Electronic Arts (EA) data (including FIFA 2021 source code, as well as other EA intellectual property). After EA, the group claimed a series of high-profile breaches in March 2022; its compromises of NVIDIA, Microsoft, and Okta (all of which the group publicized that month) garnered particular attention. In addition to those firms, between December 2021 and March 2022, Lapsus$ also shared data stolen from companies including: LGE, Samsung, Huawei, and Alcatel.
On March 24, 2022, various media outlets reported that the City of London Police had arrested seven teenagers in relation to the Lapsus$ group. Since these arrests, the group has avoided the brash, highly public style of communication they’d become known for. However, activity attributed to the group briefly resumed on September 15 when Uber announced that it was investigating a “cybersecurity incident” attributed to Lapsus$. And in October, police in Brazil announced the arrest of a Brazilian national suspected of belonging to Lapsus$.
There has been no activity on Lapsus$’s Telegram channel or its backup Matrix chat site since the arrests in the spring. And no further breaches have been attributed to the group, nor have suspected members of the group claimed any additional attacks since the October arrest in Brazil.
In the months since SecurityScorecard first published its research on Lapsus$, the group's exploitation of MFA fatigue has attracted particular attention, especially following the attribution of the Uber breach to the group.
To gain access through MFA fatigue, the group would first attempt to log in to a target’s systems using credentials they had previously acquired, either by purchasing them on the dark web or by stealing them. Methods of credential theft can vary, but often involve phishing that leads a target to either submit their username and password to a credential-harvesting page or to download information-stealing malware (“infostealers”) like RedLine (discussed at greater length below). For companies that do not require MFA, credential reuse is enough to grant an attacker access to their systems, so in some cases, an attack can already move to its next stages here. However, better-defended companies will require MFA, and attackers subsequently use MFA fatigue to circumvent it.
When employing MFA fatigue, an attacker simply keeps attempting to log into an account, sending MFA notifications to a user until that user grows tired of them. The user eventually relents and unknowingly grants the attackers access to whatever systems are available to them.. From here, it’s only a matter of time before the group moves up the ladder to compromise the servers running the organization’s applications and accounts.
In the case of the Uber compromise, a spokesperson for Lapsus$ claimed to researchers that they first socially engineered an employee to access the corporate VPN and then, upon acquiring access, scanned the intranet to identify particularly interesting targets for exfiltration.
Image 1: A Lapsus$ member explained the tactics Lapsus$ used in its attack against Uber to a security researcher (image provided by Corbin Leo)
In a separate conversation with a different researcher, a spokesperson for Lapsus$ explained that simply producing a stream of MFA alerts for an hour was not enough to convince the employee to grant them access. Ultimately, they took the additional step of sending the employee a WhatsApp message in which they impersonated Uber IT to instruct them to accept the MFA notifications.
Image 2: An attacker explained that the attack against Uber also involved smishing that impersonated IT personnel (image provided by Kevin Beaumont via BleepingComputer).
Lapsus$ and the RedLine Infostealer
While SecurityScorecard continues to assess that the group’s methods are fairly immature–and that its operations rely heavily on social engineering rather than more technical methods–subsequent reporting has revealed that the group has used the RedLine infostealer in some of its attacks. Threat actors usually distribute RedLine through social engineering, and it does not demand a great deal of technical sophistication from its operators.
RedLine first surfaced in March 2020, when researchers observed threat actors distributing it in a phishing campaign using news of the then-novel COVID-19 pandemic as a lure. It can steal credentials, cookies (attackers can bypass MFA using stolen session cookies), stored credit card data, and cryptocurrency from infected devices. Attackers commonly distribute it through malicious attachments or links contained in phishing emails, downloads served by sites purporting to offer pirated software, and links contained in YouTube video descriptions. Cybersecurity analysts have observed campaigns distributing it as recently as October 2022, suggesting that it remains widely available. To that end, its availability was one of the features researchers first highlighted about RedLine, noting in 2020 that members of Russian-speaking cybercriminal forums advertised it in “Lite” and “Pro” versions for one-time sale prices of $150 and $200 USD, or a monthly subscription fee of $100 USD. This may further demonstrate Lapsus$’s relative lack of sophistication, as it suggests that the group uses malware that demands little more than a fee of its users, rather than software requiring additional technical inputs.
The Theft That Keeps on Giving
While the group’s own use of malware is apparently somewhat limited, it still appears that Lapsus$ may have contributed to the proliferation of malicious files. The data the group stole from NVIDIA included code-signing certificates identified in previous STRIKE research on Lapsus$, which threat actors have since used to sign files containing malware and often-abused hacking tools such as Cobalt Strike, Mimikatz, and Quasar RAT. A signed certificate from an established company like NVIDIA can lend malicious files the appearance of legitimacy. NVIDIA confirmed its breaches in March, but files signed using stolen certificate serials have continued to circulate in the months since the leak, despite Lapsus$’s own inactivity.
To underscore this point, in the week from November 28-December 5 alone, 145 files that vendors identified as malicious, and contained the leaked certificateserials, appeared on VirusTotal. These files do not necessarily indicate that Lapsus$ is still active; but they may indicate that other threat actors have used the information stolen by Lapsus$. As a result, this suggests that Lapsus$’s attacks may continue to have an impact even during a period of apparent inactivity for the group.
Two commondetections for files with both certificate serials refer to file infector viruses, which replicate their code into the program files on the systems where they have been executed. The impact of such viruses can, in general, vary quite widely, but the detected viruses, in particular, download additional malicious files to infected devices.
Vendors use two detections that apply to a large number of files with one serial to identify password-stealing Trojans that attackers could use in much the same way that Lapsus$ used RedLine. Vendors have, moreover, linked three other files with the signature to the RedLine infostealer; these have detections containing the word “Sabsik;” which some vendors use to track RedLine specifically.
Vendors have also linked a collection of files with the other of the two signatures to infostealers; although vendors detect these files as a longstanding email worm, they also match a rule titled “INDICATOR_KB_ID_Infostealer” because they contain email addresses researchers have observed various infostealers using to exfiltrate data. It would therefore appear that threat actors may use these files in a way similar to Lapsus$’s use of RedLineas well.
It remains to be seen if Lapsus$ will continue to be an effective cyber-crime group following the arrests of the alleged members, including its suspected leader. However, activity similar to Lapsus$’s is likely to persist even in its absence, as evidenced by the continued circulation of infostealers featuring signatures stolen and leaked by the group.
Key Recommendations and Mitigation Strategies
Lapsus$ is likely neither the first nor the last group to use manipulation to compensate for a lack of technical sophistication. But in general, training users to recognize social engineering attacks is a key strategy for defending against such groups.
Further defensive measures more particular to Lapsus$’s attacks and their consequences include:
Advising employees against storing credentials or other sensitive information in Slack (Lapsus$ claimed after one attack that it had been able to steal AWS keys by accessing a victim organization’s Slack because employees had stored them there).
Not trusting any drivers signed by certificates using serials 43BB437D609866286DD839E1D00309F5 or 14781bc862e8dc503a559346f5dcc518. Malware with those signatures has continued to circulate despite the arrests of accused Lapsus$ members in March, April, and October.
SecurityScorecard is a global leader in security ratings, resilience, and response, with over 12 million organizations continuously rated. Tens of thousands of customers trust SecurityScorecard’s patented platform and services for board reporting, compliance, cyber insurance procurement and underwriting, digital forensics, enterprise and third-party risk management, incident response, and regulatory oversight. Funded by world-class investors including Evolution Equity Partners, GV, Riverwood Capital, Sequoia Capital, and Silver Lake Waterman, the company was founded in 2013 by former Chief Information and Security Officers Dr. Aleksandr Yampolskiy and Sam Kassoumeh. SecurityScorecard enables customers to know in an instant whether an organization deserves their trust. For more information or to create a free account, visit securityscorecard.com.