Lapsus$, Okta, Microsoft, and RDP – The Attack Success Factors

By: Mike Talon, March 27, 2022

The week's biggest news story in cybersecurity is the alarming speed and reach of the Lapsus$ threat actor group. Quickly gaining access to the sensitive data of multiple enterprise organizations known for security and data control. Lapsus$ breached Nvidia at the beginning of March, with both Microsoft and Okta disclosing data thefts by the group in the last several days.

Let's look at the details of the attacks and what tools organizations can use to defend themselves.  

 

Who is Lapsus$? 

As of this writing, Lapsus$ members have been identified as seven teenagers aged 16 to 21, led by a 16-year-old living in his mother's home in England, and allegedly known by "White" and "Breachbase" aliases. Despite their young age, Lapsus$ ability to steal data and demand ransom netted them a few million dollars in Bitcoin and cryptocurrencies before they were identified. Bloomberg interviewed the presumed 16 Y.O. group leader's mother through her house intercom, and she claimed to have no idea that her son was engaged in hacking activities. Known by Microsoft as DEV-5037, Lapsus$ apparently started its operation by targeting the UK and South American organizations before spreading out its wings towards leading organizations in government, media, retail, telecommunications, technology, and healthcare globally.

Their preferred method relied on non-encryption-based extortion techniques applied after gaining access through social engineering methods (including luring employees to give them access against promises of payment) to obtain the ability to connect to victim systems with remote access tools. Once inside, they siphoned off whatever valuable data could be found with the access they had gained. Instead of encrypting the data for ransom, as is common in these types of attacks, they were leaving the data in place but held a copy by transmitting the data to their own servers. The company was then alerted to what data had been stolen and presented with a demand for payment on the threat of releasing the - typically secret and/or sensitive - data to the general public through the encrypted chat platform Telegram.

 

Who Have They Attacked? 

To date, there are three confirmed and correlated attacks attributed to Lapsus$: 

  • Nvidia 

Nvidia was breached at some point before March 5th, 2022 - most likely in the days immediately preceding. Data stolen included source code for Nvidia products and the driver signing certificates used to validate authentic driver updates and other software. This is especially troubling as until Nvidia invalidated the certificates in question' both Lapsus$ and other threat actors could create malware packages and sign them with these stolen certificates, making them appear to be legitimate software and hardware driver update packages. 

  • Microsoft 

Microsoft disclosed that they were breached on or about March 20th. Lapsus$ stole some source code for Microsoft products, though Microsoft themselves have stated that the code stolen was not sufficient to cause a security issue for users of those products.  

  • Okta

Okta was also breached around the same time as Microsoft, but the attack and its fallout were a significantly more twisted tale. While Okta data was stolen, it was not stolen from Okta directly. Instead, Lapsus$ gained access to the desktop of a Customer Success Representative working for an Okta partner, who had access to some Okta administrative tools. This gave Lapsus$ access to sensitive information, and the possibility of endangering the Okta security of, 366 different Okta customers who used that specific partner. In short, while Okta's information was leaked, it was not obtained directly from Okta but rather through an intermediary. 

 

The Attack Success Factors and Key Takeaways 

Some common threads weave through all three of the Lapsus$ attacks we know about:  

  1. The human factor - Social engineering seems to be the infiltration vector used in all three attacks. While it is not yet known if this was a traditional social engineering attack (e.g., phishing or other forms of deception) or if it was the corruption of an employee through bribery or other means; in all three cases, Lapsus$ gained access to systems by leveraging users and their equipment. 
  2. Data was not encrypted but only stolen. This is particularly worrisome as it means that if an insider was involved, the attackers could have maintained a presence (known as dwell time) for an indefinite period. While Data Loss Prevention techniques may have limited the ability to remove data from the environment, there would not be the obvious indicators traditionally seen in other recent attacks, such as large amounts of data suddenly being locked down by unauthorized encryption software or settings like backup protocols being altered.  
  3. Tools for Remote Desktop Access (such as the Remote Desktop Protocol or RDP) were used as part of the attack. RDP - both the official tools from Microsoft and 3rd-party tools - are common and used for legitimate operations such as technical support, remote server administration, etc. The problem is that if they are incorrectly configured or turned on by an offensive attack, they can also be used to gain access to desktops, laptops, servers, cloud instances, or anything else that answers an RDP request.  

 

Fortifying Your Security Posture

  • First, strictly control any remote administration tools and services used by the organization, and ensure that any tools not required are fully disabled and stay disabled. Ensure that endpoint controls like EDR/XDR platforms recognize and block any remote access software installs that are not authorized by the organization. Breach and Attack Simulation tools can both test the security of existing RDP instances and allow you to attempt to enable and access RDP sessions in areas where they should not be usable (this is a tactic of Lapsus$ that has been observed recently). Endpoint Security Assessments can test EDR/XDR tools to ensure they trigger when faced with known remote access packages.  
  • Second, ensure that all employees are aware of social engineering techniques. This training should include how to identify a social engineering attack, how to detect phishing, how to confirm the identity of any person claiming to work for the organization and requesting access to their systems, and who should be alerted if any of these behaviors are witnessed during the workday or at any other time. While insider collusion cannot be ruled out in the case of the Lapsus$ attacks, the use of social engineering techniques to turn otherwise loyal employees into pawns of the attacker is incredibly common. Assessment tools can help identify where users may need more training, especially if they have Lateral Movement and Advanced Scenarios modules that can recognize an attempt to misuse identity components for unauthorized purposes - such as user token manipulation. 
  • Third, invest in robust Data Loss Prevention and Cloud Security Access Broker (DLP and CASB) solutions. These tools restrict the movement of critical, sensitive, and/or confidential data so that only authorized users may access it, and only for authorized purposes - limiting an attacker's ability to remove data from the organization. Continuous security validation tools can confirm if tools are properly blocking the exfiltration of data in unauthorized ways. 
  • Fourth, test your security controls regularly, preferably monthly or more often. Attack techniques change rapidly, and new gaps can open in an otherwise secure environment with little warning. Changes to software, hardware, procedures, and staff can also easily create new gaps in defenses. Testing regularly can allow you to detect this Cybersecurity "drift" quickly and take appropriate remediation action.  

 

Closing Thoughts 

It is not always possible to completely stop an attacker, especially if they have an employee assisting them in their attack. That being said, a multi-layered defense can limit the damage that can be caused by a threat actor group, even if they have an inside resource.

Proper implementation and ongoing testing and validation of network and application protection, endpoint security, Identity and Access Management, and Data Loss Prevention platforms can help to ensure that, even if a breach occurs, threat actors are unable to either destroy the information or remove it from your organization.

Or, at least, limit what they are capable of gaining access to and thereby minimizing the damage and the associated embarrassment of the brand, as well as regulatory intervention your organization is subjected to. 

See how Cymulate can help your unique organization's environment with a persona demo today.

Schedule a Demo

Mike Talon
Mike Talon

Mike Talon is a Solution Architect living and working in New York City. He’s assisted in disaster recovery and migration, Cloud transformation, and identity and security operations and testing for companies ranging from Mom & Pop retail shops to Fortune 100 global companies. Mike currently works with Cymulate – Breach and Attack Simulation; helping customers find ways to live safely in interesting times.