In the last weeks There is a lot of talk about Lapsus$, a group of hackers that has managed to infiltrate some big technology companies. The curious thing is not only the achievement, but how they have come to access them.
A Microsoft investigation now reveals more information about the way Lapsus$ operates, a group that uses social engineering but also tries to capture employees or insiders of those companies. If they find them, are willing to pay for credentials that they open the door to their servants.
If you give your Microsoft engineer account, they will pay you
Microsoft and Okta have been the last two affected by these cyberattacks –both one and the other have confirmed the attack–, but in both cases the impact, they say, has been limited. The article on the Microsoft Security blog reveals that, for example, the limited access to their systems occurred thanks to a single compromised account.
In Okta, for example, they discovered that in January an attacker had gained access to a support engineer’s laptop. Those laptops have limited access, company officials said, though Lapsus$ countered that they had access to a super-user portal with password reset and multi-factor authentication (MFA) capabilities for about 95% of customers. of the company.
In both cases the modus operandi seemed similar: the Lapsus$ hackers hadn’t hacked anything as such, at least not initially: they had simply gained access to computers or accounts of those companies. With that kind of access, achieving a successful cyberattack is much easier, of course.
Microsoft’s analysis makes it clear that the company had been tracking this hacker group for a long time, although in Redmond they were assigned the name DEV-0537. Their tracking of Lapsus$ activity indicates that these hackers:
“They focus their social engineering efforts on gathering insights into their targets’ business operations. That information includes intimate data on employees, team structures, help desks, crisis response flows, or relationships with the community.” supply chain”.
These types of techniques are used “in a pure extortion and destruction model without ransomware being installed,” they explain at Microsoft. The hacker group began targeting companies in the UK and South America. Not only that: “DEV-0537 is also known for gaining access to personal cryptocurrency exchange accounts to deplete their cryptocurrency resources.”
There are also peculiarities in the way this group of hackers acts, which of course uses traditional social engineering techniques —trying to trick company employees with phone calls— but also with much more striking methods:
“They don’t seem to hide their tracks. They even announce their attacks on social networks or advertise your intention to purchase employee credentials of target companies“.
That’s right: in Lapsus$ pay employees or people who have privileged information about companies to give that information. They also appear to use “various techniques that are less frequently used by others.” For example, the aforementioned social engineering through phone calls or the well-known SIM-swapping techniques to gain access to those accounts.
To get that initial access to various companies, in Lapsus$:
- They install the Redline password-stealing program to get session tokens and passwords.
- They buy credentials and session tokens in forums dedicated to these activities.
- They pay company employees (or suppliers) for access to credentials and multi-factor authentication mechanisms.
- They search public code repositories to find credentials exposed in those repositories.
Once they have those credentials, they end up logging into the systems with those credentials. If some type of two-step authentication is used to enter, sometimes reach economic agreements with affected employees to accept the login, making those employees directly complicit in the cyberattack.
SIM swapping techniques it also allows you to take control of those employees’ phones, which defeats the layer of security often provided by multi-factor authentication methods.
After starting the attack, they try to exploit vulnerabilities on different systems, and look for new information in the code repositories to which they have access. They explore networks using tools like AD Explorer—which anyone can install to display a sort of “map” of a company’s local network if the company uses Active Directory—and try to escalate privileges to gain full access to that company’s resources.
In fact, the Lapsus$ attacks go further, because after stealing data from Microsoft, they have observed that they “join crisis communication calls and internal discussion boards (Slack, Topics, etc.) to understand the response flow incidents and their corresponding response. Namely, these hackers “stay tuned” to see how these companies react and even take advantage of that data to start an extortion process.
What to do to avoid being exposed? At Microsoft they recommend strengthen MFA implementation (for example with physical tokens) or improve the training of employees so that they are alert to social engineering attacks. The truth is that controlling all the links is really complicated, and it seems that Lapsus$ knows it well.
George is Digismak’s reported cum editor with 13 years of experience in Journalism