EclecticIQ
nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Racoon Stealer Development Hiatus, Updates on LAPSUS$ and North Korean State Backed Operations

This issue of the Analyst Prompt looks at the new activity surrounding the cybercriminal group LAPSUS$, the effect the Ukraine war is having on the cybercriminal ecosystem and malicious activity exploiting a new vulnerability in Chrome.

EclecticIQ Threat Research Team April 5, 2022

Threat Actor Update: LAPSUS$ Compromises Highlight the Effectiveness of Insider Threats

Extortion group LAPSUS$ announced in March it compromised Okta (1), a widely used identity and access management provider, and Microsoft (4). LAPSUS$ claimed to have “superuser/admin” access to Okta and that it had accessed customer data (2). Okta suspects LAPSUS$ gained access to a support engineer’s laptop between 16th and 21st January 2022 (1). The data of approximately 2.5% of Okta’s customers has potentially been viewed or acted upon (1). In a separate incident, LAPSUS$ claimed to have leaked 37GB of source code belonging to Microsoft (3). Microsoft confirms that a single account had been compromised and portions of source code was exfiltrated (4).

LAPSUS$, tracked as DEV-0537 by Microsoft, uses an extortion and destruction model without ransomware (4). According to Microsoft, LAPSUS$ typically focuses on compromising user identities of the targeted organization for initial access. LAPSUS$ leverages multiple TTPs such as paying employees at targeted organizations for credentials and multi-factor authentication (MFA) approval, buying credentials and session tokens from criminal forums and searching public code repositories for credentials. After gaining initial access, LAPSUS$ focuses on extending its access within the network by enumerating credentials for higher privileged users and exploiting unpatched vulnerabilities on internally accessible servers. LAPSUS$ uses known virtual private server (VPS) providers and geographically aligned NordVPN egress points to exfiltrate victim’s data. After exfiltration, LAPSUS$ has been observed deleting the target’s systems and resources (4).

The City of London Police in late March arrested seven teenagers related to the LAPSUS$ group including a 16-year-old from Oxford, who is accused of being one of the leaders of LAPSUS$ (5). The accused leader goes by the online aliases “White” or “Beachbase” and was doxed online, revealing his name, address, and social media pictures (5). Security researchers have been monitoring “White” since mid-2021 and have been notifying law enforcement of the latest activity (5). LAPSUS$ activity continued even despite the arrests; they claimed to have leaked customer source code from Globant, a software services company according to 30 March reporting (12).

LAPSUS$, although not the first group to leverage insider threats, has proven how vulnerable even large, well-resourced organizations are to this TTP. Many organizations have rightfully focused on the threat traditional ransomware groups and their affiliates pose to them; however, the recent success of LAPSUS$ should cause organizations to assess their current insider threat program to see whether it is effective in the current threat landscape.

Malware: Ukraine War Continues to Impact Cybercriminal Ecosystem

The developers of the commodity information stealer Racoon Stealer temporarily closed all sales due personnel loss in the Russia-Ukraine war (6). According to a 25th March tweet from the group, a critical member of the team was killed “due to the ‘special operation’” - a likely reference to Russia’s invasion of Ukraine. The loss stops the group providing stable operation for customers of the malware (6). The group states that this is not a permanent hiatus and that they will be back with a second version in a few months (6). The temporary closure of Racoon Stealer is causing customers to turn to Mars Stealer, causing their operators to be overwhelmed with messages (7).

The Ukraine war continues to impact the cybercriminal ecosystem in various ways, including causing financially motivated groups to become more politically oriented. Raidforums, an illicit forum, published a notification banning any user connecting from Russia (7) to show their position on the Russia-Ukraine war. The ransomware group Conti, after openly backing the Russian state, was the subject of a massive leak by a Ukrainian security researcher (13).

Exploit Tools and Targets: State-Backed North Korean Groups Exploit Chrome Vulnerability

Two North Korean state-backed groups (8) exploited CVE-2022-0609, a remote code execution (RCE) vulnerability in Chrome (9). The campaign targeting news media and IT organizations sent emails claiming to be recruiters at Disney, Google, or Oracle containing links spoofing job hunting websites. Clicking on the link would serve a hidden iframe that would trigger the exploit kit. The campaign targeting cryptocurrency and fintech industries set up fake websites and compromised at least two legitimate fintech company websites to serve the exploit kit to targets. The exploit kit fingerprinted the targets system then requested the next stage if the conditions were met.

The number of Chrome vulnerabilities exploited has been growing steadily over the past years. The number of Chrome vulnerabilities exploited in the wild increased from 8 in 2020 to in 14 in 2021 (10). Google has already announced two zero-days this year, CVE-2022-0609 (9) and CVE-2022-1096 (11). Google attributes the rise in Chrome vulnerabilities to the deprecation of Flash, Chromium being used is multiple browsers, multiple bugs needing to be chained for a single exploit and the increasing complexity of the browser (10). Google has released security fixes for CVE-2022-0609 (9) and CVE-2022-1096 (11).

References

  1. https://www.okta.com/blog/2022/03/updated-okta-statement-on-lapsus/?_ga=2.214425943.1726951151.1648229830-648809539.1647946402&_gac=1.28299342.1647946516.Cj0KCQjw5-WRBhCKARIsAAId9FkQ6XWMN9wz_LwdoVrwY2xteKcAJSa0IBRX9n2Is8KPt58_142rw64aAqerEALw_wcB
  2. https://www.bleepingcomputer.com/news/security/okta-investigating-claims-of-customer-data-breach-from-lapsus-group/
  3. https://www.bleepingcomputer.com/news/microsoft/lapsus-hackers-leak-37gb-of-microsofts-alleged-source-code/
  4. https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
  5. https://www.bbc.com/news/technology-60864283
  6. https://twitter.com/3xp0rtblog/status/1507312171914461188
  7. https://www.bleepingcomputer.com/news/security/racoon-stealer-malware-suspends-operations-due-to-war-in-ukraine/
  8. https://blog.google/threat-analysis-group/countering-threats-north-korea/
  9. https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html
  10. https://www.securityweek.com/google-attempts-explain-surge-chrome-zero-day-exploitation
  11. https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html?m=1
  12. https://thehackernews.com/2022/03/lapsus-claims-to-have-breached-it-firm.html
  13. https://edition.cnn.com/2022/03/30/politics/ukraine-hack-russian-ransomware-gang/index.html 

Structured Data

Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.

TAXII v1 Discovery services: https://cti.eclecticiq.com/taxii/discovery

You may also download the content as eiq_json, stix1_2, stix2_1.

Please refer to our support page for guidance on how to access the feeds.

About EclecticIQ Threat Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com.

Receive all our latest updates

Subscribe to receive the latest EclecticIQ news, event invites, and Threat Intelligence blog posts.

Explore all topics

© 2014 – 2022 EclecticIQ B.V.
EclecticIQ. Intelligence, Hunting, Response.
Get demo