Threat Actor Update: LAPSUS$ Compromises Highlight the Effectiveness of Insider Threats
Extortion group LAPSUS$ announced in March it compromised Okta (1), a widely used identity and access management provider, and Microsoft (4). LAPSUS$ claimed to have “superuser/admin” access to Okta and that it had accessed customer data (2). Okta suspects LAPSUS$ gained access to a support engineer’s laptop between 16th and 21st January 2022 (1). The data of approximately 2.5% of Okta’s customers has potentially been viewed or acted upon (1). In a separate incident, LAPSUS$ claimed to have leaked 37GB of source code belonging to Microsoft (3). Microsoft confirms that a single account had been compromised and portions of source code was exfiltrated (4).
LAPSUS$, tracked as DEV-0537 by Microsoft, uses an extortion and destruction model without ransomware (4). According to Microsoft, LAPSUS$ typically focuses on compromising user identities of the targeted organization for initial access. LAPSUS$ leverages multiple TTPs such as paying employees at targeted organizations for credentials and multi-factor authentication (MFA) approval, buying credentials and session tokens from criminal forums and searching public code repositories for credentials. After gaining initial access, LAPSUS$ focuses on extending its access within the network by enumerating credentials for higher privileged users and exploiting unpatched vulnerabilities on internally accessible servers. LAPSUS$ uses known virtual private server (VPS) providers and geographically aligned NordVPN egress points to exfiltrate victim’s data. After exfiltration, LAPSUS$ has been observed deleting the target’s systems and resources (4).
The City of London Police in late March arrested seven teenagers related to the LAPSUS$ group including a 16-year-old from Oxford, who is accused of being one of the leaders of LAPSUS$ (5). The accused leader goes by the online aliases “White” or “Beachbase” and was doxed online, revealing his name, address, and social media pictures (5). Security researchers have been monitoring “White” since mid-2021 and have been notifying law enforcement of the latest activity (5). LAPSUS$ activity continued even despite the arrests; they claimed to have leaked customer source code from Globant, a software services company according to 30 March reporting (12).
LAPSUS$, although not the first group to leverage insider threats, has proven how vulnerable even large, well-resourced organizations are to this TTP. Many organizations have rightfully focused on the threat traditional ransomware groups and their affiliates pose to them; however, the recent success of LAPSUS$ should cause organizations to assess their current insider threat program to see whether it is effective in the current threat landscape.
Malware: Ukraine War Continues to Impact Cybercriminal Ecosystem
The developers of the commodity information stealer Racoon Stealer temporarily closed all sales due personnel loss in the Russia-Ukraine war (6). According to a 25th March tweet from the group, a critical member of the team was killed “due to the ‘special operation’” - a likely reference to Russia’s invasion of Ukraine. The loss stops the group providing stable operation for customers of the malware (6). The group states that this is not a permanent hiatus and that they will be back with a second version in a few months (6). The temporary closure of Racoon Stealer is causing customers to turn to Mars Stealer, causing their operators to be overwhelmed with messages (7).
The Ukraine war continues to impact the cybercriminal ecosystem in various ways, including causing financially motivated groups to become more politically oriented. Raidforums, an illicit forum, published a notification banning any user connecting from Russia (7) to show their position on the Russia-Ukraine war. The ransomware group Conti, after openly backing the Russian state, was the subject of a massive leak by a Ukrainian security researcher (13).
Exploit Tools and Targets: State-Backed North Korean Groups Exploit Chrome Vulnerability
Two North Korean state-backed groups (8) exploited CVE-2022-0609, a remote code execution (RCE) vulnerability in Chrome (9). The campaign targeting news media and IT organizations sent emails claiming to be recruiters at Disney, Google, or Oracle containing links spoofing job hunting websites. Clicking on the link would serve a hidden iframe that would trigger the exploit kit. The campaign targeting cryptocurrency and fintech industries set up fake websites and compromised at least two legitimate fintech company websites to serve the exploit kit to targets. The exploit kit fingerprinted the targets system then requested the next stage if the conditions were met.
The number of Chrome vulnerabilities exploited has been growing steadily over the past years. The number of Chrome vulnerabilities exploited in the wild increased from 8 in 2020 to in 14 in 2021 (10). Google has already announced two zero-days this year, CVE-2022-0609 (9) and CVE-2022-1096 (11). Google attributes the rise in Chrome vulnerabilities to the deprecation of Flash, Chromium being used is multiple browsers, multiple bugs needing to be chained for a single exploit and the increasing complexity of the browser (10). Google has released security fixes for CVE-2022-0609 (9) and CVE-2022-1096 (11).
Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.
TAXII v1 Discovery services: https://cti.eclecticiq.com/taxii/discovery
You may also download the content as eiq_json, stix1_2, stix2_1.
Please refer to our support page for guidance on how to access the feeds.
About EclecticIQ Threat Research
EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.
We would love to hear from you. Please send us your feedback by emailing us at email@example.com.