John Wetzel Profile picture
Mar 21 16 tweets 6 min read
Rumors that #lapsus$ ransomware group breached #Microsoft via an Azure DevOps panel posted to the group’s Telegram then subsequently taken down. Here’s a thread on the group operations, and how they seem to use #insider threat for access
Lapsus$ has been on a tear, with recent breaches at Ubisoft and NVIDIA, where the group stole them posted data including code-signing certificates wired.com/story/lapsus-h…
lapsus$ posts stolen data to their Telegram, where they also post surveys asking who they should attack next and even ads recruiting insiders from certain companies. Here’s a screenshot of that post from earlier this month
Using insider threats isn’t novel, but it IS usually sidelined in cybersecurity discussions for conversations. Despite this, insider threats remain a viable and successful way for outside groups to conduct attacks
Recruitments of insiders have long appeared in posts of dark web forums, often linked to finance targets or direct messages on social media (timeline below via @RecordedFuture) Image
What’s interesting is that lapsus$, a ransomware group, seems to be leaning particularly heavily on insiders for access and possibly much more, albeit very sloppily. For example, several have pointed out the user profile left in the screenshot posted in the lapsus$ telegram Image
So how do you defend against insiders? First step is actually the hardest: monitor and improve employee satisfaction. Happy people don’t spy, but may make mistakes. Create an environment where security is a partner not an executioner is critical
Second, monitor for the mistakes. Look for leaked employee credentials, monitor code repos for keys. Identity is the cornerstone to insider threat defense, so MFA, SSO, tokens all strengthen your ability to tie actions to specific people
Third, monitor attackers who leverage insider actions. Attackers use methods like registering lookalike external and internal domains ($) to recruiting and bribing ($$$). Note: the latter is almost only ever going to be found via employee reporting so make this EASY and PAINLESS
Finally, DON’Ts: Don’t be creepy. Remember the 1st point on happiness? You need trust with employees, despite whatever “zero trust” says (no one has made it work yet). Build trust with your employees, and this includes social media monitoring, just don’t. It doesn’t work anyhow
Hope this is helpful. I used to setup insider threats programs with US gov contractors, and currently discuss insider threat, threat intel, and security at @RecordedFuture and my website painlesscyber.com
LAPSUS$ now claiming and posting screenshots as evidence of popping Okta, spilling *partial* source code of Microsoft products Bing, Cortana
Cloudflare reacting to *potential* Okta breach
And Okta saying the screenshots appear to be linked to a popped third party event from January

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with John Wetzel

John Wetzel Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @johnwetzel

Mar 24
So how do you *prevent* #insider threats?
Short answer is you don’t
Long answer is you spend a lot of money…and still don’t

But you CAN monitor, identify, and react to insiders and insider-like threats #lapsus$
(🧵)
I worked counterintelligence from 2003 to 2016 with US military and civilian agencies. In that time, I investigated, taught, and helped build insider threat programs. One big lesson learned: insider threats are usually caught from the outside. But how?
Because insider threat *always* has an external nexus. Whether it’s a foreign gov, LAPSUS$, or even a reporter looking for a scoop, there’s always an external actor washingtonpost.com/national-secur…
Read 17 tweets
Mar 22
LAPSUS$ is the group on everyone’s mind today, having just leaked data around a potential breach of #Okta, a widely-used SSO & identity provider. So let’s take some time to dive into #LAPSUS$, where they came from, how they’ve evolved, and how to defend against them.
LAPSUS$ appeared in only a few months ago, in December 2021. They appear to be Brazilian-based or affiliated, going off of their initial targets and the languages used on their Telegram channels
Notable analysts have described them as “erratic and unusual” (@BrettCallow in Wired) and “competent and incompetent at the same time” because of their seeming inability to monetize their successful breaches
Read 16 tweets
Mar 21
The problem if you’re USG is something like this: you have good information that attacks are imminent but not enough to prevent attacks outright. What do you do?
US intelligence likely based estimates on a wide variety of sources, such as spies, intercepted comms, even implants of their own. So you could KNOW the orders’ been given but not know specifics. Reading for nuance and details is key
So as USG do you warn? Probably, even if you know it’s somewhat futile. And there’s subtle messaging such as the note on “evolving” intelligence—Likely speaks to fluidity of Russia decision more than uncertainty of intelligence
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(