April 6, 2022

Many organizations are already struggling to combat cybersecurity threats from ransomware purveyors and state-sponsored hacking groups, both of which tend to take days or weeks to pivot from an opportunistic malware infection to a full blown data breach. But few organizations have a playbook for responding to the kinds of virtual “smash and grab” attacks we’ve seen recently from LAPSUS$, a juvenile data extortion group whose short-lived, low-tech and remarkably effective tactics have put some of the world’s biggest corporations on edge.

Since surfacing in late 2021, LAPSUS$ has gained access to the networks or contractors for some of the world’s largest technology companies, including Microsoft, NVIDIA, Okta and Samsung. LAPSUS$ typically threatens to release sensitive data unless paid a ransom, but with most victims the hackers ended up publishing any information they stole (mainly computer source code).

Microsoft blogged about its attack at the hands of LAPSUS$, and about the group targeting its customers. It found LAPSUS$ used a variety of old-fashioned techniques that seldom show up in any corporate breach post-mortems, such as:

-targeting employees at their personal email addresses and phone numbers;
-offering to pay $20,000 a week to employees who give up remote access credentials;
-social engineering help desk and customer support employees at targeted companies;
-bribing/tricking employees at mobile phone stores to hijack a target’s phone number;
-intruding on their victims’ crisis communications calls post-breach.

If these tactics sound like something you might sooner expect from spooky, state-sponsored “Advanced Persistent Threat” or APT groups, consider that the core LAPSUS$ members are thought to range in age from 15 to 21. Also, LAPSUS$ operates on a shoestring budget and is anything but stealthy: According to Microsoft, LAPSUS$ doesn’t seem to cover its tracks or hide its activity. In fact, the group often announces its hacks on social media.

ADVANCED PERSISTENT TEENAGERS

This unusual combination makes LAPSUS$ something of an aberration that is probably more aptly referred to as “Advanced Persistent Teenagers,” said one CXO at a large organization that recently had a run-in with LAPSUS$.

“There is a lot of speculation about how good they are, tactics et cetera, but I think it’s more than that,” said the CXO, who spoke about the incident on condition of anonymity. “They put together an approach that industry thought suboptimal and unlikely. So it’s their golden hour.”

LAPSUS$ seems to have conjured some worst-case scenarios in the minds of many security experts, who worry what will happen when more organized cybercriminal groups start adopting these techniques.

“LAPSUS$ has shown that with only $25,000, a group of teenagers could get into organizations with mature cybersecurity practices,” said Amit Yoran, CEO of security firm Tenable and a former federal cybersecurity czar, testifying last week before the House Homeland Security Committee. “With much deeper pockets, focus, and mission, targeting critical infrastructure. That should be a sobering, if not terrifying, call to action.”

My CXO source said LAPSUS$ succeeds because they simply refuse to give up, and just keep trying until someone lets them in.

“They would just keep jamming a few individuals to get [remote] access, read some onboarding documents, enroll a new 2FA [two-factor authentication method] and exfiltrate code or secrets, like a smash-and-grab,” the CXO said. “These guys were not leet, just damn persistent.”

HOW DID WE GET HERE?

The smash-and-grab attacks by LAPSUS$ obscure some of the group’s less public activities, which according to Microsoft include targeting individual user accounts at cryptocurrency exchanges to drain crypto holdings.

In some ways, the attacks from LAPSUS$ recall the July 2020 intrusion at Twitter, wherein the accounts for Apple, Bill Gates, Jeff Bezos, Kanye West, Uber and others were made to tweet messages inviting the world to participate in a cryptocurrency scam that promised to double any amount sent to specific wallets. The flash scam netted the perpetrators more than $100,000 in the ensuing hours.

The group of teenagers who hacked Twitter hailed from a community that traded in hacked social media accounts. This community places a special premium on accounts with short “OG” usernames, and some of its most successful and notorious members were known to use all of the methods Microsoft attributed to LAPSUS$ in the service of hijacking prized OG accounts.

The Twitter hackers largely pulled it off by brute force, writes Wired on the July 15, 2020 hack.

“Someone was trying to phish employee credentials, and they were good at it,” Wired reported. “They were calling up consumer service and tech support personnel, instructing them to reset their passwords. Many employees passed the messages onto the security team and went back to business. But a few gullible ones—maybe four, maybe six, maybe eight—were more accommodating. They went to a dummy site controlled by the hackers and entered their credentials in a way that served up their usernames and passwords as well as multifactor authentication codes.”

Twitter revealed that a key tactic of the group was “phone spear phishing” (a.k.a. “voice phishing” a.k.a. “vishing”). This involved calling up Twitter staffers using false identities, and tricking them into giving up credentials for an internal company tool that let the hackers reset passwords and multi-factor authentication setups for targeted users.

In August 2020, KrebsOnSecurity warned that crooks were using voice phishing to target new hires at major companies, impersonating IT employees and asking them to update their VPN client or log in at a phishing website that mimicked their employer’s VPN login page.

Two days after that story ran, the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) issued their own warning on vishing, saying the attackers typically compiled dossiers on employees at specific companies by mass-scraping public profiles on social media platforms, recruiter and marketing tools, publicly available background check services, and open-source research. The joint FBI/CISA alert continued:

“Actors first began using unattributed Voice over Internet Protocol (VoIP) numbers to call targeted employees on their personal cellphones, and later began incorporating spoofed numbers of other offices and employees in the victim company. The actors used social engineering techniques and, in some cases, posed as members of the victim company’s IT help desk, using their knowledge of the employee’s personally identifiable information—including name, position, duration at company, and home address—to gain the trust of the targeted employee.”

“The actors then convinced the targeted employee that a new VPN link would be sent and required their login, including any 2FA [2-factor authentication] or OTP [one-time passwords]. The actor logged the information provided by the employee and used it in real-time to gain access to corporate tools using the employee’s account.”

Like LAPSUS$, these vishers just kept up their social engineering attacks until they succeeded. As KrebsOnSecurity wrote about the vishers back in 2020:

“It matters little to the attackers if the first few social engineering attempts fail. Most targeted employees are working from home or can be reached on a mobile device. If at first the attackers don’t succeed, they simply try again with a different employee.”

“And with each passing attempt, the phishers can glean important details from employees about the target’s operations, such as company-specific lingo used to describe its various online assets, or its corporate hierarchy.”

“Thus, each unsuccessful attempt actually teaches the fraudsters how to refine their social engineering approach with the next mark within the targeted organization.”

SMASH & GRAB

The primary danger with smash-and-grab groups like LAPSUS$ is not just their persistence but their ability to extract the maximum amount of sensitive information from their victims using compromised user accounts that typically have a short lifespan. After all, in many attacks, the stolen credentials are useful only so long as the impersonated employee isn’t also trying to use them.

This dynamic puts tremendous pressure on cyber incident response teams, which suddenly are faced with insiders who are trying frantically to steal everything of perceived value within a short window of time. On top of that, LAPSUS$ has a habit of posting screenshots on social media touting its access to internal corporate tools. These images and claims quickly go viral and create a public relations nightmare for the victim organization.

Single sign-on provider Okta experienced this firsthand last month, when LAPSUS$ posted screenshots that appeared to show Okta’s Slack channels and another with a Cloudflare interface. Cloudflare responded by resetting its employees’ Okta credentials.

Okta quickly came under fire for posting only a brief statement that said the screenshots LAPSUS$ shared were connected to a January 2022 incident involving the compromise of “a third-party customer support engineer working for one of our subprocessors,” and that “the matter was investigated and contained by the subprocessor.”

This assurance apparently did not sit well with many Okta customers, especially after LAPSUS$ began posting statements that disputed some of Okta’s claims. On March 25, Okta issued an apology for its handling of the January breach at a third-party support provider, which ultimately affected hundreds of its customers.

My CXO source said the lesson from LAPSUS$ is that even short-lived intrusions can have a long-term negative impact on victim organizations — especially when victims are not immediately forthcoming about the details of a security incident that affects customers.

“It does force us to think about insider access differently,” the CXO told KrebsOnSecurity. “Nation states have typically wanted longer, more strategic access; ransomware groups want large lateral movement. LAPSUS$ doesn’t care, it’s more about, ‘What can these 2-3 accounts get me in the next 6 hours?’ We haven’t optimized to defend that.”

Any organizations wondering what they can do to harden their systems against attacks from groups like LAPSUS$ should consult Microsoft’s recent blog post on the group’s activities, tactics and tools. Microsoft’s guidance includes recommendations that can help prevent account takeovers or at least mitigate the impact from stolen employee credentials.


20 thoughts on “The Original APT: Advanced Persistent Teenagers

  1. mealy

    2-3 compromised credentials that can get to crown jewels in 6-24 hours is game over.
    How much resource compartmentalization does a “mature cybersecurity practice” entail?
    Central-vpn traffic monitoring for realtime credential detection? De-automated TFA + sanity✓?
    When ring-X keyholding insiders are so easily fooled or able to be bought out without supervision,
    the supervision required has to be draconian = and users will absolutely complain. Meanwhile
    the overhead required to segment and authenticate all access properly is not “business friendly.”
    It requires practices and dedicated heads that (most?) many organizations have little interest in,
    as it’s all cost and hassle and complaints with an intangible upside. Until it happens.

    And it’s bad when source gets p-b’ed but 10x magnified when mumbling coverup is attempted.
    If they aren’t going to dig proper moats they need to at least come clean about dragon activity,
    people are going to find out regardless. It’s just compounding a reputational failure over again.
    You can’t rebuild any confidence in your practices if you’re minimizing and omitting key details.
    The ones who successfully rebound confidence go the other way. Tell the truth objective 1.

    1. Jon Marcus

      Mostly agree. The one thing I’d point out is that this doesn’t appear to have targeted or gotten “crown jewels”. More like a smash and grab, scooping up whatever’s around. For instance, at Microsoft they grabbed some random source code. That stuff is proprietary, it’s not something MS wants just anyone to have. But speaking as a developer, if you try to put “draconian supervision” around the source code to our libraries, I’m not going to be able to do my job.

      Here’s an example: Let’s say you limit me to accessing relevant chunks of my department’s code, and I have to get explicit supervisor approval to access other departments’ code. Great, secure. Now I want to eliminate a problematic, deprecated method in my library. I want to make sure the method’s not still in use. Can I just grep across our company codebase for the method? Or do I need to approach each departmental supervisor, and get explicit personal approval to access their department’s code?

      And before you say, “Yeah, suck it up. Take the extra time,” what if the method I want to eliminate has been found to be insecure? How much extra time should I take before I improve security enterprise-wide?

      1. mealy

        Compartmentalization ‘should’ still allow you to do your job, done right.
        “Crown jewels” vary depending, source to user data to company HR, etc.
        “what if the method I want to eliminate has been found to be insecure?”
        If low level individuals have access to entireties of source it’s problematic.
        You could fly it up the CoC and your supervisors would have departments
        with their local SCI access search for it. There are ways of handling such
        without actually needing full access to an (entire) codebase. (+Tradeoffs.)
        It really wouldn’t be that much extra time if you have systems in place, which
        of course is the rub – MOST companies probably don’t really attempt it at all.
        Big enterprise operations don’t have a very good excuse, SMB’s “sort of” do.
        If in your example the method/func is insecure, that should be appropriately
        seen by supervisors/mgmt as a high priority and they would lean on folks.
        You don’t unlock all doors because you’re hurriedly looking for something,
        and if it’s as important as your example that should be an overseen task.
        Delegation and compartmentalization vs individual admins org-wide.
        I’m not saying there won’t be times you’d wish everything were simpler…
        but if you design the system with those cases in mind it can be workable.
        The same caveats of management not listening and rigid dogmas do apply,
        but no single dev/user should have the total lateral power you describe IMO.
        Would your method be quicker and simpler, yes. That’s the big tradeoff.

  2. Michael

    This “hack” just shows again in BOLD that cyber attacks are most often not advanced attacks, they are more than likely a cheap trick like this, I don’t even like to use the term “social engineering” as it makes the attack seem like something achieved through a lot of “effort” – even if that effort is criminal!

    Unfortunately without sufficient training for our staff we will continue to be ‘breached’ using nothing more than a bit of persistence and time, the only positive from this is with our short attention spans in the Facebook era, attackers will give up easily.

    1. Wannabe techguy

      Maybe you should look at the title of this post again. They give up easily?

  3. Tony B

    Heres evidence you can bribe your way into companies for $20k and people really think politicians aren’t taking bribes lol

  4. RICHARD

    There’s only APT upside potential until businesses are incentivized to strengthen cyberhygiene practice.

    Consumers are forced by terms of service to indemnify businesses for purchase and use of product, or any non-neglience related outcome from use.

    This means the business (and employees) are effectively faultless for breach and ransom incidents. Cyberinsurance premiums are a business expense passed onto the consumer via sales.

    Restrict indemnification use in terms of service, and boards of directors and CxOs will take note. They would be compelled to embrace CISA standards and possbly comply with NIST SP 800-53 control families for risk management.

    Personally, I doubt any measures, no matter there sincerity or effectiveness, will occur until corporate money and lobbyists are stomped.

    The current situation of breach and ransom-at-will won’t cease or subside until a few perp walks occur for business negligence and the Caesar salad lunch crowd are personally liable for under-investing in cyber training and infrastructure defenses to deter scriptkiddies.

  5. Catwhisperer

    The example here of LAPSUS$ just shows how unready we are. People forget that a rudimentary bow made of wood kills the same as a Glock. There are some great asymmetric capabilities to pay attention to here. And as usual, the wetware is the weakest link, and because of that mission persistence paid for in the end for the attackers. It appears that by focusing on higher end attack capabilities, seasoned cybersecurity teams were overcome with were basically low tech guerilla warfare tactics. I’d recommend we all revisit Sun Tzu’s Art of War, again…

  6. Paulina

    One thing no one in the industry is talking about (not even Brian himself) is how poorly we treat employees. This leads to them accepting such bribes.
    Company cultures are no longer about commitment and ownership of the objectives, they are just about “how much money can I get” or “what are benefit packages”. Even on the C-suite level! Most companies in the realm of IT/Cyber push for more revenue not to advance themselves, their goals, and their employees; but to get acquired by a big corporation!
    Just look at FireEye-turned-Mandiant-bought-by-Google. This is a big flaw!
    I am not saying that revenue should not be a focus, but commitment to a company for long-term employment should be somewhere on the priority list. Sustainability is key. I thing we done away with that culture a long time ago, when companies stopped offering pensions.
    It suddenly didn’t make sense to commit to anything. And that’s why there is a huge turnover in IT, and people are quickly bought with offers of $20k/week.

  7. Wannabe techguy

    ““They put together an approach that industry thought suboptimal and unlikely.” Guess “industry” was wrong!
    I wonder if the youths will be offered high paying jobs?

  8. Lesite24

    Cyber attacks harm large companies as well as small ones, so caution must be taken in electronic transactions

  9. Alcoholic Russians

    Yubikeys or similar physical hardware authentication devices would put an end to 99.9% of these social engineering hacks.

    1. WC

      They are indeed the most secure form of mfa. However, it doesn’t defend against use cases such as Okta’s, in which an employee was bribed to provided access. There is no silver bullet.

  10. uwatu

    study the blackhats and whitehats techniques.. don’t get caught up in petty crime, cyber war, or felony trash antics..

    you’ll understand later if you make this far.. but by doing bhat stuff many others have thought about doing.. don’t be someones tool unwillingly or
    you might have to be their tool to stay out of jail

    a young friends brother got into hacking in the early days think aol days,
    he was decently smart, quick learner and got in over his head.
    fbi busted him and his computer career either white, grey, black, whatever was over and he knew it when right before the tech boom.

    keen minds with out direction or self discipline might not get you where you want to be in life
    or it may have you beholden to the wrong people who might not let you quit bhat work.

  11. Antonio V

    That’s the downside of hiring ppl who will wear face diapers etc. They are easy to control and don’t use to think, but you have to understand that they are always like that, not just with you LOL

  12. Mahhn

    These kids and the swaths following in their foot prints are the new normal.
    Society (judicial system) has taught the youth of this world that financial crime is normal and expected. Punishment’s are minimal and rewards are huge. Like politics, but less effort.
    We talk as if security tools and practices are the solution, but that’s just the response to the crime, while the motivation of the crimes is fed all it can eat.

  13. old man

    Every passing generation thinks the new generation is somehow worse.

    Whether it’s bike gangs, muggings, or even unintentional stuff like drinking and driving .. a lot of people get hurt by teenagers doing dumb stuff, especially in groups.

    Deterrence only works up to a point. If kids don’t know or care about the penalties, then deterrence is ineffective.

    1. Mahhn

      Then the only solution left is to remove the bad potatoes from the bag, less they rot them all.

  14. Jack

    I just don’t understand why phone number spoofing is still allowed without being specifically authorized. Number spoofing has legitimate purposes, like a doctor who wants to show up on caller ID with their office number instead of their direct cell phone line. There is no reason why anyone should be able to spoof any other number they want without permission. The limited cases where spoofing is used for a legitimate purpose should check a whitelist based on the caller’s number and only allow whitelisted numbers to be used by that caller. This gaping hole in phone security is the root cause of all the spam and scam phone calls.

  15. John

    None of our cybersecurity efforts will ever “fix” the human. Gaining information and access to secure systems will always be about people. It is why Social Engineering is a guaranteed way to gain access to privileged information or locations if one pursues the endeavor to its natural conclusion.

Comments are closed.