This post was co-authored by Storm Swendsboe, Director of Threat Intelligence, and Mike Campfield, CRO.
In this blog:
- Brief summary of the “Lapsus$” profiles written up by Microsoft and Okta
- How “Lapsus$” could (and did) utilize communication channels like Slack and Teams.
- The risks posed by these kinds of attacks.
- How to best defend against them.
Recent attacks against Okta and Microsoft by the group “Lapsus$” have drawn attention to these bad actors. Both of the affected companies have put out write-ups regarding the tactics, techniques, and procedures used by the actor group in their incidents, as well as in general. However, while there has been a lot of coverage regarding the impact of these incidents, there has not been as much focus on the tactics for defending against them. Especially neglected has been the fact that, in their recent attacks, “Lapsus$” gained access to and utilized communication channels like Slack and Teams.
Social Engineering & Escalating Privileges: Analyzing the “Lapsus$”Playbook
Lapsus$ is a notorious hacker group known to have been operating since 2019. The group is highly organized and well-funded, with members coming from different countries worldwide. Interestingly, rumors suggest that their mastermind could be a 16-year-old from Oxford, England.
The London police recently arrested several alleged members of the Lapsus$ hacking group. Prior to this, the group was responsible for carrying out a slew of data breaches on top global companies, including Microsoft, Samsung, Ubisoft, Nvidia and Okta. One member of the group may also have been involved in last year’s high-profile EA breach.
The group’s tactics relied on finding vulnerable subcontractors and peripheral employees, who they could social engineer to access their accounts and then look for ways to escalate privileges inside the company’s network or communications channels.
Whether the Lapsus$ group survives these arrests is irrelevant. It is more critical for businesses to understand the playbook they used to pull off these attacks, targeting peripheral employees and subcontractors, recruiting company insiders, social engineering, credential theft, and escalating privileges inside shared systems and communications platforms (Slack, Teams). The young age of the Lapsus$ hackers demonstrates that inexperienced, less sophisticated hackers can still cause significant damage to a company just by following these simple social engineering tactics.
As noted security reporter Brian Krebs recently wrote:
“While it may be tempting to dismiss Lapsus$ as an immature and fame-seeking group, their tactics should make anyone in charge of corporate security sit up and take notice. Microsoft says Lapsus$ — which it boringly calls “DEV-0537” — mostly gains illicit access to targets via ‘social engineering.’ This involves bribing or tricking employees at the target organization or at its myriad partners, such as customer support call centers and help desks.”
Guide: Learn how to identify
and prevent social engineering attacks
What Happened in the Microsoft Breach?
Microsoft's March 22nd blog post claims that the actor made public claims that they had gained access to Microsoft and exfiltrated portions of source code. Fortunately, Microsoft reported that no customer code or data was involved in the observed activities.
Further investigation from Microsoft found that a single account had been compromised, granting limited access. In addition, the group accessed and exfiltrated source code, but Microsoft stated that it was for more open products that they worked on where “secrecy of code” did not matter for security reasons.
Quick remediation prevented further activity. In addition, this public disclosure escalated Microsoft’s action allowing their team to intervene and interrupt the actor mid-operation, limiting broader impact.
Microsoft did not reveal how the actors gained access to their systems. But they did release a blog post providing an actr profile for the group and describing their tactics.
A Consistent Pattern...
As has recently been noted by Microsoft and other security researchers investigating Lapsus$, the group’s operations have centered around several key tactics:
- Using credential stealers
- Purchasing or finding stolen/exposed credentials and session cookies
- Recruiting insiders to provide access
- Targeting help desks and support teams
- Utilizing internal assets for privilege escalation
- Data exfiltration and destruction.
Using Credential Stealers
Microsoft reported that the group was known to use the Redline credential-stealing malware. This malware was likely delivered through some form of social engineering emails with the malicious attachment or hosted on an impersonated download site. The malware is a standard credential stealer and primarily targets browsers for auto-complete and saved password data. An interesting thing about this malware family is that recent variants have been known to also include modules for stealing credentials from messaging clients (like Slack) (source: Malpedia).
Purchasing or finding credentials and cookies
The group has been known to purchase credentials and session cookies off of the Darkweb. They also scan through public code repositories for credentials that may have inadvertently been included in the code stored on the sites. Once acquired, these credentials and cookies can allow them to gain the initial access into the corporate environment.
Lapsus$ regularly recruited insiders (employees and contractors) to provide them with credentials and MFA codes, or to install AnyDesk or other remote management tools to provide inside access into the corporate network. Microsoft has confirmed that the group did succeed with this tactic, saying it “found instances where the group successfully gained access to target organizations through recruited employees…”
This tactic of recruiting employees and other insiders to provide internal access appears to be increasing across the board. A recent study found that 65% of organizations report that their employees were targeted for recruitment by cybercriminals, marking a 17% increase since last fall. Most notably, ransomware gangs like LockBit 2.0 and DemonWare have been observed offering financial incentives to company insiders who can broker the initial access. This trend continues to grow and inspires acts of internal protest or sabotage due to the increase in remote workers and contract employees, economic stress attributed to inflation and the wage gap, and divisive socio-political trends.
Once within a network, the actors would either move straight into discovering and exfiltrating data or look for a way to escalate their privileges within the environment. For privilege escalation they were known to use two tactics:
- Scanning Internal Assets: With their initial access to the corporate environment, the actors would scan internal systems for unpatched vulnerabilities and look for secrets that may have been exposed on employee accessible resources (such as internal code repositories and messaging systems),
- Social Engineering: If the group could access a messaging system or contact internal support, they reportedly would attempt to convince them to reset the password for a more privileged account.
Exfiltration and Destruction
As is now well known of the group, Lapsus$ primary goal once within a corporate environment was to discover and exfiltrate sensitive company data. Additionally, Microsoft reported that the group was generally not quiet about their activities and would generally delete data from the victim’s systems after they were done extracting data.
Product: Learn more on how to ensure security
and compliance for Microsoft Teams
Focusing on the Messaging Element
As we can see messaging systems were not an insignificant part of the Lapsus$ tactics and they played into multiple parts of their attacks:
- Their credential stealer specifically had modules that could target messaging application credentials.
- They could look for secrets on messaging applications.
- They could utilize messaging applications for privilege escalation social engineering attacks.
Additionally, we also have evidence of them specifically looking through a compromised environment's Slack. In the recent screenshots that the group posted regarding the Okta breach, one of them showed the actors having the Okta corporate Slack open in a browser window. While we don’t know what they did with that access, it is further proof that this group was interested in messaging applications and their exploitation.
At the end of the day, this group will not be the last to attempt to exploit these channels. These systems are rarely monitored and employees generally grant a higher level of trust to communications within them. This may be why they showed interest in them as well as having malware that could target these credentials specifically.
Steps to Secure Your Communication Network Against Employee/Contractor Compromises
While it is unclear what role messaging applications played in these recent attacks, they have been reported to have utilized them in the past, and other actors will likely use them in the future. So here are a couple of recommendations when considering the security of the applications within your company’s environment.
- Segment communication channels like Slack. This will allow companies to isolate certain types of employees and limit employee access. For example, Segment your Slack channels between your main corporate environment and subcontractors where possible.
- Restrict employees from sharing credentials, like email addresses and passwords, and unencrypted data/files in communications platforms.
- Establish security awareness training for employees. For example, educate them on the potential risks of using Slack and other messaging applications, what social engineering methods attackers use, etc.
- Have a monitoring solution to detect and respond to new/emerging threats and detect employee violations, like sharing credentials or other sensitive information.
- Utilize Natural Language Understanding to understand the context and intent of human-to-human communication across multiple communication channels.
Incidents like this teach us that companies should be more proactive at protecting their Slack instances. Unfortunately, enterprises often make the mistake of remaining lax with their security, especially with their third-party communication apps. This is a huge oversight.
If you are interested in learning more about the SafeGuard Cyber solution, you can take a quick 5-minute tour.