The week's biggest news story in cybersecurity is the alarming speed and reach of the Lapsus$ threat actor group. Quickly gaining access to the sensitive data of multiple enterprise organizations known for security and data control. Lapsus$ breached Nvidia at the beginning of March, with both Microsoft and Okta disclosing data thefts by the group in the last several days.
Let's look at the details of the attacks and what tools organizations can use to defend themselves.
As of this writing, Lapsus$ members have been identified as seven teenagers aged 16 to 21, led by a 16-year-old living in his mother's home in England, and allegedly known by "White" and "Breachbase" aliases. Despite their young age, Lapsus$ ability to steal data and demand ransom netted them a few million dollars in Bitcoin and cryptocurrencies before they were identified. Bloomberg interviewed the presumed 16 Y.O. group leader's mother through her house intercom, and she claimed to have no idea that her son was engaged in hacking activities. Known by Microsoft as DEV-5037, Lapsus$ apparently started its operation by targeting the UK and South American organizations before spreading out its wings towards leading organizations in government, media, retail, telecommunications, technology, and healthcare globally.
Their preferred method relied on non-encryption-based extortion techniques applied after gaining access through social engineering methods (including luring employees to give them access against promises of payment) to obtain the ability to connect to victim systems with remote access tools. Once inside, they siphoned off whatever valuable data could be found with the access they had gained. Instead of encrypting the data for ransom, as is common in these types of attacks, they were leaving the data in place but held a copy by transmitting the data to their own servers. The company was then alerted to what data had been stolen and presented with a demand for payment on the threat of releasing the - typically secret and/or sensitive - data to the general public through the encrypted chat platform Telegram.
To date, there are three confirmed and correlated attacks attributed to Lapsus$:
Nvidia was breached at some point before March 5th, 2022 - most likely in the days immediately preceding. Data stolen included source code for Nvidia products and the driver signing certificates used to validate authentic driver updates and other software. This is especially troubling as until Nvidia invalidated the certificates in question' both Lapsus$ and other threat actors could create malware packages and sign them with these stolen certificates, making them appear to be legitimate software and hardware driver update packages.
Microsoft disclosed that they were breached on or about March 20th. Lapsus$ stole some source code for Microsoft products, though Microsoft themselves have stated that the code stolen was not sufficient to cause a security issue for users of those products.
Okta was also breached around the same time as Microsoft, but the attack and its fallout were a significantly more twisted tale. While Okta data was stolen, it was not stolen from Okta directly. Instead, Lapsus$ gained access to the desktop of a Customer Success Representative working for an Okta partner, who had access to some Okta administrative tools. This gave Lapsus$ access to sensitive information, and the possibility of endangering the Okta security of, 366 different Okta customers who used that specific partner. In short, while Okta's information was leaked, it was not obtained directly from Okta but rather through an intermediary.
Some common threads weave through all three of the Lapsus$ attacks we know about:
Fourth, test your security controls regularly, preferably monthly or more often. Attack techniques change rapidly, and new gaps can open in an otherwise secure environment with little warning. Changes to software, hardware, procedures, and staff can also easily create new gaps in defenses. Testing regularly can allow you to detect this Cybersecurity "drift" quickly and take appropriate remediation action.
It is not always possible to completely stop an attacker, especially if they have an employee assisting them in their attack. That being said, a multi-layered defense can limit the damage that can be caused by a threat actor group, even if they have an inside resource.
Proper implementation and ongoing testing and validation of network and application protection, endpoint security, Identity and Access Management, and Data Loss Prevention platforms can help to ensure that, even if a breach occurs, threat actors are unable to either destroy the information or remove it from your organization.
Or, at least, limit what they are capable of gaining access to and thereby minimizing the damage and the associated embarrassment of the brand, as well as regulatory intervention your organization is subjected to.
See how Cymulate can help your unique organization's environment with a persona demo today.
Mike Talon is a Solution Architect living and working in New York City. He’s assisted in disaster recovery and migration, Cloud transformation, and identity and security operations and testing for companies ranging from Mom & Pop retail shops to Fortune 100 global companies. Mike currently works with Cymulate – Breach and Attack Simulation; helping customers find ways to live safely in interesting times.