What Lapsus$ Tells Us About The State Of Cybersecurity
After two months and numerous high-profile hacks, it’s time we as an industry look in the mirror and figure out why this keeps happening.
In the beginning of March, news broke that NVIDIA, one of the largest and most well-known computer hardware companies in the world, was breached. NVIDIA produces graphics cards and other hardware that helps your computer process large amounts of information quickly. As such, its hardware has low-level access to your computer’s firmware to allow it to function properly. At the time of the breach, it wasn’t initially known what data had been targeted however, it was made clear that customer data was safe.
The concern grew when a little-known threat group at the time, which quickly became one of the most infamous threat groups in recent years, claimed responsibility. In the claim, the group which calls itself Lapsus$ claimed to steal around 1 terabyte (TB) source code for a number of NVIDIA products and demanded payment, as well as a lift on the artificial limits placed on NVIDIA products impacting crypto-mining. These demands were ignored, and Lapsus$ proceeded to leak around 200 gigabytes (GB) of data, including source code, allowing developers to remove the crypto-mining limits.
This breach was huge but was buried in the headlines as Russia’s invasion of Ukraine continued. That breach was quickly accompanied by attacks on Samsung, Bing, Okta, and Globant, as well as the claim that they also breached Vodafone, Mircado-Libre, LG, and Ubisoft. Each of these breaches involved massive leaks of data, including source code and security data. By far, the most concerning breach claimed by Lapsus$ was the attack on Okta by way of their third-party security provider Sitel.
Okta is a company that specializes in Identity & Access Management (IAM) and works with numerous clients including Bing, Apple Health, EA, and more. In January, Okta detected a security incident involving a security engineer working for their security provider, Sitel. As Okta stated months later in March, the issue was quickly handled and no malicious activity was detected after the incident. However, before Okta released its statement on the incident, Lapsus$ published screenshots to their Telegram channel which appeared to be from an Okta management console, showing the incident went deeper than initially thought.
Shortly after the announcements by Lapsus$ that they had breached Okta, seven teens in the UK were arrested, including one believed to be the ring leader of the group. The relief that this was coming to an end was short-lived, however, when a week later, Lapsus$ announced that it breached an IT and software solutions company, Globant.
The Globant hack is another concerning breach as Globant has a number of high-profile clients like Dell, Coca-Cola, American Express, and Ubisoft, among others.
How It Happened
The staggering pace and scope that Lapsus$ has managed to work within have created many questions: How does Lapsus$ manage to breach its targets? What are Lapsus$’s goals? How is it that so many multi-billion dollar companies failed to stop them?
The Microsoft Security Team released an article at the end of March detailing the Tools, Techniques, & Procedures (TTPs) Lapsus$ has employed so far. In it, they detail how Lapsus$ primarily uses social engineering as a method of gaining access, whether through paying users for Multi-Factor Authentication (MFA) information which will ultimately allow for a successful login, or by calling the target’s Help Desk to reset user passwords. They also note how Lapsus$ will scan public code repositories for credentials or purchase stolen credentials on underground hacker forums.
A significant vector used by Lapsus$ appears to be Insider Threats, where an employee either sells information or access to the corporate VPN to Lapsus$. This method is reinforced by another call on the Lapsus$ Telegram for insider threats at a number of desired targets to work with Lapsus$ in sharing credentials or VPN access. It appears Lapsus$ isn’t interested in insiders sharing the proprietary data themselves, they’re only interested in a foothold. The desired targets they listed included a number of technology and telecommunications companies from AT&T, Microsoft, Apple, and IBM.
Once Lapsus$ gains a foothold, as Microsoft points out, they proceed to target unpatched internal services like JIRA, GitLab, or Confluence. They also search for code repositories that might include sensitive data they can use, from credentials to APIs.
Microsoft and numerous cybersecurity researchers have pointed out that Lapsus$ relies on publicly available tools like AD Explorer, Mimikatz, and Process Explorer / Hacker. These tools were then used to expand visibility in the target environment and bypass security tooling, like Fireye in the case of the Okta breach.
After escalating privileges, they proceed to create a new admin account that they can use to delete the other admin accounts, thereby locking administrators and engineers out of the environment. They then proceed to exfiltrate data and then delete data and services in the target’s environment. This is then used to extort the target for payment, as was attempted with NVIDIA. In cases where they don’t get payment or open negotiations, they publicly release a portion of the stolen data to verify the validity of their claim and gain leverage in the extortion negotiations.
What Their Goals Are
While their actions and methods have been derided by some cybersecurity experts as “crude” and “basic”, the fact is, Lapsus$ still managed to hack into numerous multi-billion dollar companies and steal their data. Their use of public tools and the often unprofessional messaging on their Telegram channel doesn’t give the impression that Lapsus$ is the second coming of the Conti ransomware group in the form of an extortion group (Lapsus$ is not a ransomware group, as some have claimed). That said, again, they’ve still pulled off a number of massive cyberattacks that have made a significant splash in the cybersecurity and tech world.
While they claim to be non-political, and they have not been seen to deploy ransomware on their targets, the motivation for Lapsus$ appears to be money gained from extorting targets in an effort to recover their own proprietary data. Their non-affiliation with any nation-state may be one reason why they have managed to sink into the headlines as the war in Ukraine rages on and concerns grow over a potential Russian cyberattack on the West.
It’s unclear what impact the arrests in the UK will have on the group. While the breach of Globant quickly followed news of the arrests, it’s unclear if this was merely an attempt to regain the initiative in coverage and distract from the potential ring leader being arrested. As of the time of this writing, it’s only been a little over a week since they announced the Globant hack and around two weeks since the arrests. Time will ultimately tell what impact the arrests will have on the group, and if one of those teens truly was the ring leader.
Some have suspected that, if that was in fact the ring leader, the group may splinter and continue to carry out attacks as smaller groups, but may lose the speed and scope of their previous attacks. If the ring leader wasn’t arrested, then the group may be taking a brief pause to regroup before carrying out additional attacks.
What We Can Learn
To summarize the main reasons why Lapsus$ managed to pull off so many attacks on so many large organizations, they primarily targeted the humans behind the computer to gain a foothold, then proceeded to use publicly available tools from the internet to bypass security tooling. They also targeted unpatched systems with known vulnerabilities to gain escalated privileges. Once escalated, they were able to lock the engineering and admin teams out of their accounts as they exfiltrated data and destroyed everything they left behind. This then kicked off the extortion process where they would incrementally leak data to gain leverage as they threatened the target to make a payment for the rest of their data.
To say nothing of the business impact, the impact on the reputations of these companies says enough. That a group of teenagers from the UK and South America was able to bypass the security architecture, no doubt worth over a billion dollars collectively, shows the need for cybersecurity is as dire as ever. It also shows the disconnect that we as cybersecurity professionals are having with the folks we need to be working with.
Lapsus$ isn’t the Russian GRU, nor are they the Conti ransomware group. Their TTPs are nothing special, and their composure, even publicly in some cases, shows they’re far from a “professional” hacking group. None of that matters.
While the GRU, Conti, and the other threat groups out there are certainly threats that require advanced tooling and processes to address, one wonders if that tooling makes a difference if an employee simply sells their access to the threat group in question or if the threat group is able to gain access by social engineering employees into giving them initial access. How effective is a custom tool made by a threat group designed to evade detection if the publicly available tool does the trick anyway? We, as cybersecurity professionals, may have set our eyes on the “Advanced” Persistent Threat and subsequently forgotten the “Non-Advanced” Persistent Threat.
By no means am I saying that the money spent on advanced security tooling was wasted or that the time invested in tracking and hunting advanced threat groups was a waste. Those threats must absolutely be addressed and met and will require the best the industry has to offer to counter them. What I am saying is that we cannot miss the simple threats as well.
Anyone that’s aware of “cybersecurity” knows the importance and impact that MFA has on account security. They also know that patching known vulnerabilities is as critical internally as it is externally in order to fully implement a multi-layer defense. They may also know how hard both of those are to accomplish as the organization you’re making these changes to increases in size. As Dave Kennedy shared in his recent interview on the Cyber Monday Show, the hardest targets to attack are often the smallest, because it’s easier to roll out the necessary security changes faster with less impact.
That said, it’s no less critical for larger organizations to come up with some solution to implement the needed patches and fixes their organizations need to remain secure. This is all part of covering the technical side of security.
None of that matters, however, if we lose sight of training and hardening the human side of security. Lapsus$ recognized a weakness in the security awareness of certain employees and managed to exploit that vulnerability. In doing so, a significant amount of the security work covering the technical side was bypassed. As has been said many times, humans can be the weakest link, but they can also be the strongest chain.
With adequate training, employees would be able to recognize when they’re inadvertently acting as an insider threat. This doesn’t cover when they are intentionally acting as an insider threat, whether by selling access, credentials, or by cooperating with attackers in other ways. Training can, however, help catch cases where an employee is intentionally acting as an insider threat and can help both mitigate the impact and reduce the response time.
To summarize, we can learn that patching and properly implementing the technical side of security is incredibly important, however, it is also incredibly hard. Regardless, the technical side must be addressed quickly, efficiently, and without fail. We can also learn that training and awareness can go a long way in tackling the human side of security, which is as important, if not more so, than the technical side.
No doubt, the Lapsus$ saga has taught us a lot, not only about the state of the cybersecurity industry but also about cybersecurity itself. It doesn’t matter how advanced the threat group is, what matters is the security solutions used to stop them. Those solutions include both technical and human elements, both of which are increasingly hard to implement as the organization itself grows in size. This is something Lapsus$ recognized and effectively exploited.
While the Lapsus$ saga may not yet be over, it’s important to identify these lessons and implement them in our own organizations quickly before other equally-motivated groups attempt to repeat the successes of Lapsus$ in order to gain money or fame. Looming over all of this, however, is the risk of more advanced threat groups that are certainly willing and able to exploit these vulnerabilities.
If you’re reading this and you’re interested in leveling up your cybersecurity game with stronger passwords in 2022, check this video out.
Be sure to check out my YouTube channel where I cover cybersecurity topics, news, and Security+ material. Also follow me on Twitter @sec_studio, where you can tell me about how you passed the Security+!