Rumors that #lapsus$ ransomware group breached #Microsoft via an Azure DevOps panel posted to the group’s Telegram then subsequently taken down. Here’s a thread on the group operations, and how they seem to use #insider threat for access
https://twitter.com/AlvieriD/status/1505408621055672320
Lapsus$ has been on a tear, with recent breaches at Ubisoft and NVIDIA, where the group stole them posted data including code-signing certificates wired.com/story/lapsus-h…
lapsus$ posts stolen data to their Telegram, where they also post surveys asking who they should attack next and even ads recruiting insiders from certain companies. Here’s a screenshot of that post from earlier this month
https://twitter.com/lordx64/status/1502021545883054083
Using insider threats isn’t novel, but it IS usually sidelined in cybersecurity discussions for conversations. Despite this, insider threats remain a viable and successful way for outside groups to conduct attacks
https://twitter.com/laughing_mantis/status/1504543477274603520
Recruitments of insiders have long appeared in posts of dark web forums, often linked to finance targets or direct messages on social media (timeline below via @RecordedFuture) 
What’s interesting is that lapsus$, a ransomware group, seems to be leaning particularly heavily on insiders for access and possibly much more, albeit very sloppily. For example, several have pointed out the user profile left in the screenshot posted in the lapsus$ telegram
So how do you defend against insiders? First step is actually the hardest: monitor and improve employee satisfaction. Happy people don’t spy, but may make mistakes. Create an environment where security is a partner not an executioner is critical
Second, monitor for the mistakes. Look for leaked employee credentials, monitor code repos for keys. Identity is the cornerstone to insider threat defense, so MFA, SSO, tokens all strengthen your ability to tie actions to specific people
Third, monitor attackers who leverage insider actions. Attackers use methods like registering lookalike external and internal domains ($) to recruiting and bribing ($$$). Note: the latter is almost only ever going to be found via employee reporting so make this EASY and PAINLESS
Finally, DON’Ts: Don’t be creepy. Remember the 1st point on happiness? You need trust with employees, despite whatever “zero trust” says (no one has made it work yet). Build trust with your employees, and this includes social media monitoring, just don’t. It doesn’t work anyhow
Hope this is helpful. I used to setup insider threats programs with US gov contractors, and currently discuss insider threat, threat intel, and security at @RecordedFuture and my website painlesscyber.com
MSFT now investigating
https://twitter.com/josephfcox/status/1505886439254507525
LAPSUS$ now claiming and posting screenshots as evidence of popping Okta, spilling *partial* source code of Microsoft products Bing, Cortana
https://twitter.com/BillDemirkapi/status/1506107157124722690
Cloudflare reacting to *potential* Okta breach
https://twitter.com/eastdakota/status/1506158901078618118
And Okta saying the screenshots appear to be linked to a popped third party event from January
https://twitter.com/toddmckinnon/status/1506184721922859010
• • •
Missing some Tweet in this thread? You can try to
force a refresh
