Microsoft has been tracking the group for some time as DEV-0537 and appears to have a good handle on how they operate. The also acknowledge that as their notoriety has increased, they are also accelerating their pace. We have noted this during our tracking and coverage of the publicly available information. We have also noted an increased need to press coverage and validation of their actions. IN some cases, when they are not getting the expected response in the press, they move forward with the release of data much faster to prove they have what they claim. We had expected them to begin a more intimate connection with at least one press outlet so that they were able to inject themselves into the narrative. However, it seems they were already doing something much more emotionally satisfying (from their prospective) as Microsoft has revealed that the group often looks to compromise internal ticketing and communications systems so they can interact with response teams and track the response of the organization. The new information fits in their already defined behavior of theft and destruction of systems/data of their targeted organizations. It is almost a compulsion to continue the attacks with in more and more elaborate ways and means of disclosure.
Getting back to the Microsoft report, they provide several details that can allow organizations to respond better to an attack by Lapsus$ and other groups that might employ these same tactics. Microsoft notes that this attacker employs several unusual tactics that require an organization to improve their insider risk detection and response as well as improve their reaction time to suspected incidents.
Deploying the malicious Redline password stealer to obtain passwords and session tokens
Purchasing credentials and session tokens from criminal underground forums
Paying employees at targeted organizations (or suppliers/business partners) for access to credentials and MFA approval
Searching public code repositories for exposed credentials
While most of the items listed here are fairly common, Lapsus$’ public request for users, business partners and service providers for access (which they will pay for) including allowing MFA requests, moves into a different category when it comes to common initial access tactics.
Once Lapsus$ gained credentials and/or session tokens they would use these to access externally facing systems including VPN, VDI systems, RDP, and identity providers. If MFA was employed, they would spam a user with requests until they finally gave in and authorized the access as well as session token replays. The Lapsus$ group has also employed SIM-Swapping tactics to gain access to a targeted user’s mobile number. This allowed them to authorize SMS or call based MFA requests on their own.
Once credentials after ensuring they had access, the group would attempt to connect a device (usually a virtual device) to the target company’s infrastructure including registering their owned device with AzureAD and allowing MDM software and AV to be installed to meet conditional access requirements of the organization. They would also employ NordVPN so with an exit point that also complied with conditional access and that would not trigger impossible travel alerts by cloud monitoring systems. The NordVPN service would also be employed when the group exfiltrated data.
Once inside the targeted group Lapsus$ employed a number of tactics to gain further access to resources. Outside of usual items like AD Explorer, known exploits in systems like JIRA, Gitlab, Confluence, and Teams or Slack to identify their next and more privileged targets or to dump user accounts if possible. They also used DCSync attacks and Mimikatz with the goal of gaming administrator access to extract the AD database. Interestingly enough, they also were found to interact with help desk support teams to reset privileged account passwords.
After they had access and the stollen data secured offsite the group then went about making changes in the target organization to ensure IR teams would be deployed. They would create Global Admin accounts in cloud environments, set up tenant level transport rules to push all emails to the newly created email account, remove all other global admin accounts, and would often start deleting cloud systems and resources. Once they knew the IR teams were engaged, they would join internal communication via teams, slack, conference bridges etc. They would use these connections to monitor the response, get an understanding of how much the target knew about the attack and to begin the conversation about the extortion attempt, although they did not always attempt to ransom off the stolen data.
Microsoft has several recommendations to help limit the risk of compromise by this group and other groups employing similar tactics.
For MFA access they recommend you do the following:
Require Multifactor Authenticator for all users coming from all locations including perceived trusted environments, and all internet-facing infrastructure–even those coming from on-premises systems.
Leverage more secure implementations such as FIDO Tokens, or the Microsoft Authenticator with number matching. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.
Use Azure AD Password Protection to ensure that users aren’t using easily-guessed passwords.
Leverage passwordless authentication methods such as Windows Hello for Business, Microsoft Authenticator, or FIDO tokens to reduce risks and user experience issues associated with passwords.
They also recommend you avoid these items:
weak MFA factors such as text messages (susceptible to SIM swapping), simple voice approvals, simple push (instead, use number matching), or secondary email addresses.
location-based exclusions. MFA exclusions allow an actor with only one factor for a set of identities to bypass the MFA requirements if they can fully compromise a single identity.
credential or MFA factor sharing between users.
Additional items include requiring healthy and low-no risk logins and systems before allowing access to organizational resources or systems. This includes ensuring the devices are all in compliance with all polices, are trusted by the organization and healthy. Cloud protections and monitoring of logins, access and potential pivots inside cloud resources should be turned on and closely monitored with automated responses where possible. Organizations should also build a security first culture to mitigate the risks of social engineering attacks.
Since it is known that Lapsus$ also monitors communication channels organizations should develop an out-of-band communication method that can be used for an extended period along with checking for unknown or unauthorized attendees in response team calls and chat groups.
The pattern Microsoft outlines shows a sophisticated group that can use multiple techniques to access an organization. Their MO is theft, extortion, and destruction of data and systems belonging to the targeted organization. They also seem to have a bit of a compulsion to show how clever they are via public disclosure of their attacks and even the recruiting of potential insiders for initial access. Their TTPs, although somewhat varied, are all technically sophisticated and require a coordinated effort to ensure they are carried out. The extortion attempts appear to be secondary to their drive to show they can compromise and impact any organization they set their mind on. This, their apparent popularity, and their drive for more notoriety makes them particularly dangerous.