The Lapsus$ data extortion gang is relatively new but has already made it to the FBI’s most-wanted list due to recent series of leaks from top-tier companies. Their “impressive portfolio” includes Microsoft, Samsung, EA, Nvidia, Vodafone, and Okta among a few others.
Despite the reported arrest of 7 people in the UK allegedly belonging to the gang on March 23rd, Lapsus$ struck again, 70GB of Globant’s source code was posted on their Telegram channel on March 30th.
Instead of focusing on who they are and what their next target will be, we would like to highlight some outstanding and worrying facts and suggest mitigation measures that every organization can perform.
Lapsus$ hasn’t used any 0-day exploits but instead demonstrated highly effective use of social engineering techniques, proving that classic defensive playbooks might need to be rethought. Here are some worrying noteworthy highlights:
Were conducted by either bribing mobile carrier’s employees or impersonating the victim to redirect the victim’s number to the attacker’s SIM. Previously, SIM swapping was mainly seen in attacks on individuals, but the gang used it to break corporate MFA.
In general, according to the FBI, the number of SIM swapping-related incidents rose from 320 in 2018 to 1611 in 2021.
There is evidence that the group has dedicated infrastructure it operates in the known virtual private server (VPS) providers and leverages NordVPN for its egress points, which allowed them to bypass geo-based detection by picking the victim’s location as a VPN egress point.
In some cases, to meet conditional access requirements, they had registered or joined the system to the organization’s Active Directory.
Ironically, Okta’s Achilles’s heel was a sub-processor, a firm called Sitel which provided services to Okta via a recently acquired firm called Sykes. This means that whatever security standards Okta has internally, there is no chance you can assure that 3rd party that recently acquired another 3rd party will have sufficient levels of security standards, awareness, and most importantly – loyalty. (Remember that in the case of EA breach, credentials were bought, as simple as that).
Lapsus$ had access to Sykes employee laptop via RDP for 5 consecutive days and managed to go deep into Okta’s estate. The most troubling part of this is that Okta’s breach happened in January 2022 and the gang mentioned clearly that they are after Okta’s customers and not Okta itself. Since Okta’s response wasn’t the fastest, we can only guess what information they managed to get there.
Apply stricter device posture policies and validate the devices continuously and not only prior to connection. Perimeter 81 device posture check can run continuous validation to assure optimal security.
As we’ve learned, domain membership and geolocation validation can be bypassed. Consider advanced device posture policies, including the presence of the specific file, registry key, certificate, disc encryption and more.
Zero trust starts with least privilege. Continuously implement least privilege best practices, this starts with network segmentation, good old firewall is very efficient at this. However, the above case raises questions about less obvious areas such as messengers (I.e. – Do 3rd parties really need access to internal Slack channels?). Do contractors have access only to necessary resources?
ZTNA or least privileged access can segment the network and limit the attacker’s capabilities to spread and reach strategic assets. This is done via an exact security policy, using granular permissions per users or groups.
Employees or contractors leaving the company might introduce a certain amount of damage.
In addition to saving time and ensuring that all systems are closed, automated offboarding routines help to eliminate error-prone manual termination.
Automated revocation of accounts inactive after a certain period is another easy-to-implement routine that you should consider.
Perimeter 81 customers can streamline their automation processes with API. If you are our customer and need assistance with setting this, please don’t hesitate to check out our helpful API documentation.
Consider ditching outdated MFA approaches and obtaining stronger authentication mechanisms.
Strong single-factor authentication using a hardware component eliminates the need for weak password-based authentication.
IAM solutions typically support FIDO2/Webauthn-based PKI authentication, which is proof against MFA attacks since it is based on cryptography (PKI) rather than passwords.
More informationYou can learn more about relevant mitigation techniques at MITRE. Check the following Initial Access techniques T1708 (Valid Accounts) and T1199 Trusted Relationship.