The LAPSUS$ extortion group has gone quiet following a infamous and fast rise by means of the menace panorama, focusing on corporations together with Microsoft, NVIDIA, and Okta, and incomes notoriety for its freewheeling, decentralized method to cybercrime.
Nonetheless, researchers stated the group is probably going not gone — and, in any case, its “brazen” ways could go away a legacy.
A brand new report from publicity administration specialist Tenable digs into the group’s background and the ways, strategies, and procedures (TTPs) it has used, maturing from distributed denial-of-service (DDoS) assaults and web site vandalism to extra subtle strategies. These embrace the usage of social engineering strategies to reset person passwords and co-opt multifactor authentication (MFA) instruments.
“Characterised by erratic conduct and outlandish calls for that can not be met — at one level, the group even accused a goal of hacking again — the LAPSUS$ group’s tenure on the forefront of the cybersecurity information cycle was chaotic,” the report notes.
Chaos, Lack of Logic A part of the Plan
“You possibly can completely name LAPSUS$ ‘a bit punk rock,’ however I attempt to keep away from making dangerous actors sound that cool,” notes Claire Tills, senior analysis engineer at Tenable. “Their chaotic and illogical approaches to assaults made it a lot more durable to foretell or put together for the incidents, typically catching defenders on the again foot.”
She explains that maybe because of the group’s decentralized construction and crowdsourced selections, its goal profile is in every single place, which suggests organizations can’t function from the “we’re not an attention-grabbing goal” viewpoint with actors like LAPSUS$.
Tills provides that it’s all the time onerous to say whether or not a menace group has disappeared, rebranded, or simply gone briefly dormant.
“No matter whether or not the group figuring out themselves as LAPSUS$ ever claims one other sufferer, organizations can study beneficial classes about this kind of actor,” she says. “A number of different extortion-only teams have gained prominence in latest months, possible impressed by LAPSUS$’s temporary and boisterous profession.”
As famous within the report, extortion teams are more likely to goal cloud environments, which regularly comprise delicate, beneficial info that extortion teams search.
“They’re additionally typically misconfigured in ways in which supply attackers entry to such info with decrease permissions,” Tills provides. “Organizations should guarantee their cloud environments are configured with least-privilege rules and institute strong monitoring for suspect conduct.”
As with many menace actors, she says, social engineering stays a dependable tactic for extortion teams, and step one many organizations might want to take is assuming they could possibly be a goal.
“After that, strong practices like multifactor and passwordless authentication are important,” she explains. “Organizations should additionally repeatedly assess for and remediate known-exploited vulnerabilities, notably on digital personal community merchandise, Distant Desktop Protocol, and Lively Listing.”
She provides that whereas preliminary entry was usually achieved by means of social engineering, legacy vulnerabilities are invaluable to menace actors when in search of to raise their privileges and transfer laterally by means of techniques to realize entry to essentially the most delicate info they’ll discover.
LAPSUS$ Members Doubtless Nonetheless Lively
Simply because LAPSUS$ has been quiet for months doesn’t imply the group is instantly defunct. Cybercrime teams typically go darkish to remain out of the highlight, recruit new members, and refine their TTPs.
“We’d not be shocked to see LAPSUS$ resurface sooner or later, probably underneath a special title in an effort to distance themselves from the infamy of the LAPSUS$ title,” says Brad Crompton, director of intelligence for Intel 471’s Shared Providers.
He explains that though LAPSUS$ group members have been arrested, he believes the group’s communication channels will keep operational and that many companies can be focused by menace actors as soon as affiliated with the group.
“Moreover, we may additionally see these earlier LAPSUS$ group members develop new TTPs or doubtlessly create spinoffs of the group with trusted group members,” he says. “Nonetheless, these are unlikely to be public teams and can in all probability enact a better diploma of operational safety, not like their predecessors.”
Cash because the Foremost Motivator
Casey Ellis, founder and CTO at Bugcrowd, a crowdsourced cybersecurity supplier, explains that cybercriminals are motivated by cash whereas nation-states are motivated by nationwide targets. So, whereas LAPSUS$ is not enjoying by the foundations, its actions are considerably predictable.
“Essentially the most harmful side, in my view, is that the majority organizations have spent the final 5 or extra years creating symmetric defensive methods primarily based on menace actors with moderately well-defined definitions and targets,” he says. “When a chaotic menace actor is launched into the combination, the sport tilts and turns into uneven, and my foremost concern about LAPSUS$ and different related actors is that defenders have not actually been getting ready for this kind of menace for fairly a while.”
He factors out LAPSUS$ depends closely on social engineering to realize an preliminary foothold, so assessing your group’s readiness to social engineering threats, each on the human coaching and technical management ranges, is a prudent precaution to take right here.
Ellis says whereas the acknowledged targets of LAPSUS$ and Nameless/Antisec/Lulzsec are very completely different, he believes they are going to behave equally sooner or later as menace actors.
He says the evolution of Nameless within the early 2010s noticed numerous subgroups and actors rise to prominence, then fade away, solely to get replaced by others that replicated and doubled down on profitable strategies.
“Maybe LAPSUS$ has vanished utterly and endlessly,” he says, “however, as a defender, I would not depend on this as my major defensive technique in opposition to this kind of chaotic menace.”
