Full Report
According to Microsoft Threat Research, as part of LAPSUS$’s large-scale social engineering and extortion campaigns, they also gained access to several of their targets’ cloud environments.LAPSUS$ initially targeted organizations in the UK and South America, and then expanded ...
Analysis Summary
# Threat Actor: LAPSUS\$
## Attribution & Identity
* **Identification:** Criminal actor documented by Microsoft Threat Research.
* **Known Aliases and Associated Groups:** Documented under the campaign name LAPSUS\$. Microsoft tracks the primary actor/group under the moniker **DEV-0537** (referenced in one of the provided sources).
## Activity Summary
LAPSUS\$ is conducting large-scale social engineering and extortion campaigns. A key aspect of their recent activity involves gaining access to targets' cloud environments. Their attack flow is typically three-staged:
1. **Initial Access:** Gaining access to on-premise environments via compromised users, leveraging social engineering to impersonate accounts and bypass weak authentication.
2. **Abusing Access:** Exploiting unpatched applications on newly accessible resources, escalating privileges, moving laterally, and potentially locking out existing administrators if administrative status is achieved.
3. **Cloud Infrastructure Access:** Moving laterally within the organization's cloud environments to access sensitive data for extortion purposes. The final stage often involves deleting compromised systems and resources.
## Tactics, Techniques & Procedures
* **Initial Access:** Social engineering, impersonation of user accounts, bypassing insecure authentication mechanisms.
* **Credential Access:** Credential theft.
* **Privilege Escalation/Lateral Movement:** Abusing trust and privileges across accounts, exploiting known vulnerabilities on accessible resources, escalating privileges, and moving laterally.
* **Defense Evasion/Impact:** Locking out existing admin users upon achieving administrator status; deleting compromised systems and resources post-operation.
* **Targeted Technologies:** GitLab, Jira Server, Confluence Server, GitHub, SharePoint.
* **Observed Techniques:** Vulnerability exploitation, Cloud API enumeration.
## Targeting
* **Sectors:** Not explicitly listed, but the focus on software development tools (GitLab, GitHub) and collaboration tools (Jira, Confluence) suggests a focus on technology firms or organizations with significant software development lifecycles.
* **Geography:** Initially targeted organizations in the **UK** and **South America**, later expanding to other countries.
* **Victims:** Specific organizations not named in the provided context.
## Tools & Infrastructure
* **Malware Families Used:** None explicitly listed in the provided text snippets.
* **Infrastructure (C2, domains, IPs):** Not specified in the provided text.
## Implications
LAPSUS\$ poses a significant threat due to its successful blend of social engineering to achieve initial access and its subsequent pivot to exploiting on-premise weaknesses to gain deep access into cloud environments. The ability to leverage cloud APIs and then delete resources post-extortion highlights a destructive capability alongside data exfiltration and ransom demands.
## Mitigations
* Employ robust authentication mechanisms resistant to social engineering bypasses.
* Patch known vulnerabilities on accessible resources promptly, especially those pertaining to cloud services.
* Harden cloud environments against privilege abuse across accounts and lateral movement.
* Monitor for privilege escalation, especially processes leading to administrative control.
* Implement safeguards to prevent the deletion of critical systems and resources post-incident.