Askhat - stock.adobe.com
A new report shed light on the techniques and tactics of the highly unpredictable Lapsus$ attacks.
NCC Group on Thursday released a report describing how Lapsus$ attacks are launched and what makes it such a unique group.
While Lapsus$ quieted down following the arrests of alleged members in March, the attacks launched by the group remain perplexing in both their motives and their methods. The group is most known for its attacks on companies like Microsoft, Nvidia, Okta and Samsung.
The NCC Group report showed how Lapsus$ used stolen authentication cookies, specifically ones used for SSO applications, to initially get into its victims' systems. The attackers also scraped Microsoft SharePoint sites used by target organizations, hoping to find credentials within technical documentation.
From that initial point of access, Lapsus$ rapidly climbed up organizations.
"Credential harvesting and privileged escalation are key components of the LAPSUS$ breaches we have seen, with rapid escalation in privileges the LAPSUS$ group have been seen to elevate from a standard user account to an administrative user within a couple of days," the report said.
According to the report, a major goal of the Lapsus$ attackers was the exploitation of corporate VPNs, capitalizing on the increased use of them over the last few years.
"Access to corporate VPNs is a primary focus for this group as it allows the threat actor to directly access key infrastructure which they require to complete their objectives," the report said. "In our incident response cases, we saw the threat actor leveraging compromised employee email accounts to email helpdesk systems requesting access credentials or support to get access to the corporate VPN."
NCC Group researchers noted that oftentimes Lapsus$ would reach out to employees directly to get access to network environments and VPNs. In some cases, employees of victim companies would be offered money directly in exchange for their credentials or further information.
Lapsus$ threat actors rarely used malware and instead embraced "living off the land," according to NCC Group. "In the investigations conducted by NCC Group, little to no malware is used," the report said. "In one case NCC Group observed LAPSUS$ using nothing more than the legitimate Sysinternals tool ADExplorer, which was used to conduct reconnaissance on the victim's environment."
After the data was stolen, the Lapsus$ attackers then disrupted and destroyed cloud environments, specifically on-premises VMware ESXi infrastructure, to cover their tracks. For example, NCC Group researchers observed "mass deletion of virtual machines, storage, and configurations in cloud environments making it harder for the victim to recover and for the investigation team to conduct their analysis activities."
When it came Lapsus$'s goals, the report found that the group often exfiltrated data and destroyed parts of network environments in their attacks. Rather than stealing personal information, Lapsus$ usually focused on taking source code and intellectual property from companies.
"The theft of data reported appears to heavily be focused on application source code or proprietary technical information," the report said. "With a targeting of internal source code management or repository servers. These git repositories can contain not only commercially sensitive intellectual property, but also in some cases may include additional API keys to sensitive applications including administrative or cloud applications."
Still, NCC Group said it's not clear why Lapsus$ is focused on breaching major technology companies and obtaining source code, especially since some victims are not approached to pay ransoms. "This distinguishes themselves from more traditional ransomware groups who have a clear modus operandi and are clearly financially focused," the report said. "The result of this is that LAPSUS$ are less predictable which may be why they have seen recent success."