Following Okta breach, time to take LAPSUS$ teens seriously

Following Okta breach, time to take LAPSUS$ teens seriously

After the Okta breach, LAPSUS$ is already back making trouble using low-tech techniques with a high rate of success.

Credit: Dreamstime

The ransomware group LAPSUS$, now well-known as the hackers responsible for the recent Okta breach, has returned from what they refer to as a "vacation", this time with a leak impacting Globant, a large software company based in Luxembourg.

The group, who, according to media reports is largely comprised of teens in the United Kingdom, broadcast the announcement to the 50,000 members of their Telegram channel. 

Known for stealing data from large organisations then and threatening to publish it if ransom demands are not met, the group leaked 70GB of material from Globant that consisted of extracted data and credentials from the company's DevOps infrastructure. Some of the stolen data includes administrator passwords found in the firm's Atlassian suite, including Confluence and Jira, and the Crucible code review tool.

“LAPSUS$ also threw their System Admins under the bus exposing their passwords to Confluence (among other things)," malware research group VX-Underground (@vxunderground) tweeted about the latest breach. "We have censored the passwords they displayed. However, it should be noted these passwords are very easily guessable and used multiple times."

Low-tech tactics and two types of EDR

LAPSUS$ first emerged in December 2021 and made recent news for hacks on other large companies, including Samsung, Impresa, NVIDIA, Vodafone, and Ubisoft. And a recent revelation now includes Apple Inc. and Meta Platforms Inc., the parent company of Facebook, as LAPSUS$ victims as the companies were also tricked into providing customer data to the hackers. 

In a detailed blog post, security researcher Brian Krebs outlines how LAPSUS$ is using what he refers to as “low-tech but high-impact methods” to gain access to targeted organisations.

It involves abuse of emergency data requests (EDR). The criminals accomplish this by compromising and obtaining credentials that belong to law enforcement officials. 

Once they have access to these credentials, they can send unauthorised requests for subscriber data to phone companies, internet service providers, and social media sites under the guise that the that the requested information is urgent and related to a matter of life and death that cannot wait for a court order — therefore bypassing the usual legal review process and prompting an immediate issue of the sensitive data.

“It is now clear that some hackers have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate,” Krebs writes. 

“Using their illicit access to police email systems, the hackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately.”

Influencers in the industry are also pointing to questions surrounding the other type of EDR: endpoint detection and response. 

Analysis of the Okta breached reveals that LAPSUS$ infiltrated Okta's network through the compromised laptop of a support engineer working with Sitel, a third-party customer support firm. The access was accomplished through remote desktop protocol (RDP), an increasingly common way for criminals to access systems.

LAPSUS$, according to a tweet from researcher Bill Demirkapi (@BillDemirkapi) “used off-the-shelf tooling from GitHub for the majority of their attacks. After downloading Process Explorer and Process Hacker, LAPSUS$ bypassed the FireEye endpoint agent by simply terminating it.”

Infosec researcher Greg Linares, who goes by the Twitter handle @Laughing_Mantis weighed in with this advice:

“#BlueTeams I am gonna need you to stop what you are doing today and do this one homework assignment for me in light of LAPSUS$. What happens when your EDR on a client gets terminated unexpectedly: - Does it restart? - Do you get alerts. - Do you lock down the system & start IR?” he tweeted. 

“If someone can terminate your EDR client in its current config and you do not get an alert, it doesn’t attempt to restart automatically, and this doesn’t trigger a lock down or IR response. IT IS MISCONFIGURED.”

Security researcher Joe Helle (@joehelle) also tweeted that the Okta breach is a spotlight on EDR technologies:

“LAPSUS$ installed Process Explorer and Process Hacker and terminated FireEye. I hope the decision makers are paying attention to this, and that the shiny EDR you just paid for isn't all you need to secure your environments.”

Teens in trouble

In late March, the City of London Police arrested and released seven alleged LAPSUS$ members between ages 16 and 21. However, the arrests appear not to have slowed their activity, and despite their age, they should not be underestimated, according to sec experts.

“LAPSUS$ is no joke,” tweeted TrustedSec founder Dave Kennedy, who goes by the handle @HackingDave. “Okta, Microsoft, LG and others. Seeing a number of orgs hit and ones that are pretty far along sec maturity wise. They are taking advantage of gaps in detection, EDRs + more. Cloud visibility and understanding baseline behaviour is critical. Red alert.”

“It's tempting to dismiss LAPSUS$ as childish and fame-seeking. That may be true. But everyone in charge of security should know that this level of social engineering to steal access is the new norm,” noted security author Brian Krebs (@briankrebs).

Security researcher Jake Williams (@MalwareJake) agrees.

“I've seen some otherwise smart cyber security people throwing shade as Lapsus$ like ‘they're just a bunch of disorganised kids.’ Um, okay, but whoever they are, they're pretty darn effective. Like it doesn't really matter who they are if they're beating your security controls.”

Linares says he expects their recent success will likely prompt further growth.

“It would be really interesting to see the latest LAPSUS$ leaks & IOCs. I am strongly guessing other members of the group are stepping up and forming this newer rag tag LAPSUS$ group. Releasing data post bust to show a group is still active is classic recruitment strategy.”

Read more on LAPSUS$:

LAPSUS$ ransomware group claims Okta breach
The ransomware group claims that it has had access to customer records since January 2022; Okta says there is no evidence of ongoing malicious activity.

Extortion group teases 190GB of stolen data as Samsung confirms security breach
LAPSUS$ data extortion group claims to have a huge collection of confidential data stolen from Samsung Electronics, which has confirmed a security breach.

Nvidia hackers release code-signing certificates that malware can abuse
Researchers have already found example of malicious files signed with the stolen certificates.

Why authentication is still the CISO’s biggest headache
Authenticate continues to vex security leaders as businesses become more digitized, agile and dependent on remote employees.

Tags Oktacyber security

Show Comments