The NCC Group has released a new report that reveals how Lapsus$ attacks are launched. The report goes into detail about the highly unpredictable attacks’ techniques and tactics, as well as how the group targets its victims.
The Lapsus$ attacks
Lapsus$ has gained notoriety in the last five months due to successful breaches of Microsoft, Nvidia, Okta, and Samsung. In one instance, the Lapsus$ group used nothing more than the genuine Sysinternals tool ADExplorer to conduct reconnaissance on the victim’s environment.
To gain access to victims’ systems, the group used stolen authentication cookies from SSO apps and scraped Microsoft SharePoint sites to find credentials within technical documentation.
Lapsus$ gains access to local password managers and databases in order to obtain credentials and escalate privileges. Lapsus$ focuses on stealing source code and intellectual property rather than stealing personal information. The group also clones git repositories and extracts sensitive API keys.
After stealing the data, the group disrupts and destroys cloud environments, focusing on on-premises VMware ESXi infrastructure to hide its tracks. Furthermore, the researchers observed mass deletion of VMs, storage, and configurations in cloud environments, making it more difficult for victims to restore and investigation teams to conduct analysis.
A synopsis of Lapsus$
Lapsus$ debuted in December 2021. The NCC Group, on the other hand, had observed the group months before during an incident response engagement. Furthermore, the report claims that the group was active before it was known as the Lapsus$ group.
The goal of these attacks appears to be to gain money and a reputation on the dark web. Lapsus$ breaches rely heavily on privileged escalation and credential harvesting. Furthermore, it appears that the attackers’ primary goal is to exploit corporate VPNs.
Lapsus$ appears to be preoccupied with application source code or proprietary information. As a result, the report makes several recommendations to combat such threats, such as logging for cloud computing environments, using MFA for user authentication, and restricting unauthorised access to sensitive data.