A new report revealed how the Lapsus$ operators deploy their attacks, including some information about the TTPs of the highly unpredictable attacks of the group and an analysis of how they select and target victims.
In the last five months, the Lapsus$ group became notorious after successfully breaching big-time firms such as Samsung, Nvidia, Okta, and Microsoft. In a particular case, the group executed their attack using an authentic Sysinternals tool called ADExplorer to survey their target’s environment.
The group commonly utilise previously stolen authentication cookies for SSO applications to infiltrate their victim’s systems and scour MS SharePoint websites to search credentials inside the technical documentation.
The Lapsus$ usually need escalated privileges to start their attack process.
The threat group can obtain escalated privileges on the targeted system and acquire basic credentials by gaining access to the local password manager and database.
The group also focuses on securing source code and intellectual property instead of gathering personal information from the device user. They duplicate Git repositories and collect API keys.
Afterward, they will then hinder and obliterate cloud environments after the targeted data is stolen by them. The VMware ESXi infrastructure has been exclusively targeted in usual cases if it is present on their targeted system to remove all their traces and avoid analysis from researchers.
The theory was further proven when separate researchers monitored a massive deletion of storage, VMs, and configuration cloud environments.
The Lapsus$ group first appeared in December last year. However, several researchers had seen the threat actors months before during an incident response identified them. Furthermore, the report suggests that the group was active before it was called the Lapsus$, meaning the moniker is just a rebrand of a past group.
The group’s motivations are purely financially motivated. They are targeting high-end firms to establish superiority on the dark web.
Lapsus$ appears to be focused on proprietary information or app source code. Thus, the disclosed analysis of the researchers suggests several recommendations to counteract such threats. The actions needed to counter these attacks include logging into cloud computing environments, restricting unwanted access to sensitive data, and using MFA for authentication.
