A new threat actor group is behind an infamous wave of attacks impacting companies like Microsoft, Nvidia, Okta, and most recently Globant, among others. LAPSUS$, tracked as DEV-0537 by Microsoft, is relatively less sophisticated than other hacking and extortion groups when it comes to tactics and procedures. However, what they lack in sophistication, they make up for in persistence.
According to Microsoft, LAPSUS$ gains illicit access mainly through social engineering tactics, which were focused on collecting intel on the business operations of their targets. The group uses a pure extortion and destruction model without deploying ransomware payloads. Though they originally focused on companies in the UK and South America, they have extended their reach to include global targets.
LAPSUS$ uses a variety of tactics to gain access to their victims’ networks, including the below.
- Deploying Redline password stealer malware to acquire passwords or session tokens
- Purchasing credentials and session tokens from criminal forums
- Searching for exposed passwords via public code repositories
- After obtaining passwords, they use a technique called MFA prompt bombing
- Utilizing SIM-swapping techniques to facilitate account takeovers
- Calling a target company’s help desk in an attempt to reset a privileged account’s credentials
- Recruiting employees, suppliers, or other partners of the organization to gain access to credentials and MFA approval
- Gaining access to personal or private accounts of employees at target organizations to search for additional credentials that could help gain access to corporate systems
After the access is obtained, “DEV-0537 typically connected a system to an organization’s VPN… creates global admin accounts in the organization’s cloud instances, sets an Office 365 tenant level mail transport rule to send all mail in and out of the organization to the newly created account, and then removes all other global admin accounts, so only the actor has sole control of the cloud resources… deletes the target’s systems and resources… then joining the organization’s crisis communication calls and internal discussion boards (Slack, Teams, conference calls, and others) to understand the incident response workflow and their corresponding response” (Microsoft Security Blog).
Microsoft is sharing information regarding detection, hunting, and mitigation when it comes to these attacks. You can read these HERE.