LAPSUS$ is the group on everyone’s mind today, having just leaked data around a potential breach of #Okta, a widely-used SSO & identity provider. So let’s take some time to dive into #LAPSUS$, where they came from, how they’ve evolved, and how to defend against them.
LAPSUS$ appeared in only a few months ago, in December 2021. They appear to be Brazilian-based or affiliated, going off of their initial targets and the languages used on their Telegram channels
Notable analysts have described them as “erratic and unusual” (@brettcallow in Wired) and “competent and incompetent at the same time” because of their seeming inability to monetize their successful breaches
https://twitter.com/MalwareTechBlog/status/1506148594214002691?s=20
LAPSUS$ has been tentatively linked to ransomware deployments, but little to no public information exists about the nature of these deployments or public samples. Still, LAPSUS$ group has followed in the footsteps of the extortion model popularized by ransomware groups
like Maze, Sodinokibi, REvil, and Conti, including naming-and-shaming victims and dumping data. What's different is that the victim naming seems to be the point for LAPSUS$, publicizes data on its Telegram channel, https://t(.)me(/)minsaudebr and chats with members 
LAPSUS$ doesn’t seem to be effective at the “ransom” part of extortion. While the group claimed in early December that “the only thing we want is the monetization of the act” they have not shown much success in actually extorting payments from victims.
On the contrary, they have shown a desire for publicity, repeatedly posting an email address for journalists, saudegroup@ctemplar.com, promoting the use of their Telegram chat, and even running polls for which data to release next
With the recent release of screenshots showing superuser access to Okta, many teams are reasonably concerned. But there's some indications this concern could be overblown
https://twitter.com/vxunderground/status/1506114493067186183?s=20&t=7GqHibiQivs4e3ujeo903w
.@BushidoToken noted members of LAPSUS$ were behind the EA hack in June 2021 and interviewed by @josephfcox; they then claimed to have used Genesis Market to have gained access via a bot purchased on the site
https://twitter.com/BushidoToken/status/1503673719566262276?s=20
Bot access allows criminals to keep victim browser sessions and fingerprints intact. It's speculation, but this kind of access would explain the type screenshots and access we've seen from LAPSUS$ in the latest data dumps
The alternate hypothesis is that LAPSUS$ is leveraging paid insider threats. LAPSUS$ posted an ad for insiders on their Telegram channel, and this is still a possible vector for access or more
I wrote a thread on this, but the point is that right now we don't know. I would probably side on the the Genesis Market being more likely mainly due to ease and expense, but it's far too dismissive to say that ad was just info ops
Still, the large dumps of data, particularly the Microsoft dump are worrying. There's a lot of code (9GB). LAPSUS$ previously dumped source code, code signing certificate in the case of NVIDIA, with those certs weaponized in Mimikatz and Quasar RAT
https://twitter.com/S0ufi4n3/status/1506213992108371970?s=20&t=7GqHibiQivs4e3ujeo903w
Serial Numbers of Stolen NVIDIA Certificates
43BB437D609866286DD839E1D00309F5
14781bc862e8dc503a559346f5dcc518
43BB437D609866286DD839E1D00309F5
14781bc862e8dc503a559346f5dcc518
https://twitter.com/cyb3rops/status/1499514240008437762?s=20&t=zBBcR4HnLFedMra2VMUi6g
CONCLUSION: LAPSUS$ (UNC3661) i opportunistic, experimental, but fairly successful. Guard identity and actively monitor for leaked credentials appearing on markets, dumps, and malware logs. Build for internal monitoring and limited 3rd party access long term. And please: be kind.
BTW, this is an example of why I am far more worried about the MSFT leaks than the Okta "breach"
https://twitter.com/S0ufi4n3/status/1506325204787679237?s=20&t=TIbJ5mQpsSwwtoaNwfN1Ew
• • •
Missing some Tweet in this thread? You can try to
force a refresh
