Advanced Persistent Teens – Crips in Security

Many organizations are already struggling to combat cybersecurity threats from ransomware providers and state-sponsored hacking groups, both of which take days or weeks to transition from an opportunistic malware infection to a complete data breach. But few organizations have evidence to respond to the kinds of virtual ‘smash and grab’ attacks we’ve seen lately $labps, An event data extortion group whose short-lived, low-tech, and remarkably effective tactics have put some of the world’s largest companies on edge.

Since its emergence in late 2021, $LAPSUS$ has gained access to the networks or contractors of some of the world’s largest technology companies, including MicrosoftAnd the nvidiaAnd the eight And the Samsung. LAPSUS$ usually threatens to release sensitive data unless a ransom is paid, but with most victims the hackers ended up releasing whatever information they stole (mainly the computer source code).

Microsoft made a note of its attack on $LAPSUS, and about the group targeting its customers. I found that LAPSUS$ used a variety of legacy techniques that rarely appear in any postmortem corporate breach, such as:

– targeting employees with their personal email addresses and phone numbers;
Offer to pay $20,000 per week to employees who give up remote access credentials;
– Social engineering help desk and customer support staff at target companies;
– Bribe/deceive employees of mobile phone stores to hijack the target’s phone number;
Interfering with the communications of their crisis victims calls for post-breach.

If these tactics sound like something you might sooner expect from a dreaded state-sponsored “persistent advanced threat” or suitable Note that LAPSUS primary members are believed to be between 15 and 21 years old. Also, LAPSUS$ runs on a small budget and is Anything but stealth: According to Microsoft, $LAPSUS$ does not appear to cover its tracks or hide its activity. In fact, the group often announces its hack on social media.

Forever Advanced Teens

This unusual combination makes $LAPSUS something of an aberration that is perhaps more appropriately referred to as “Persistent advanced teens,” said a senior executive of a large organization that had recently gone on a tour with $LAPSUS.

“There is a lot of speculation about its quality, tactics, etc., but I think it is more than that,” said the chief executive, who spoke about the incident on condition of anonymity. Together, they put together an approach that the industry thought was suboptimal and unlikely. So it’s their golden hour.”

$LAPSUS appears to have conjured some worst-case scenarios in the minds of many security experts, who fear what will happen when the more organized groups of cybercriminals start adopting these technologies.

“$LAPSUS has shown that with just $25,000, a group of teens can join organizations with mature cybersecurity practices,” he said. Amit YoranCEO of security firm Tenable and a former federal cybersecurity czar, testified last week before House Homeland Security Committee. “With much deeper pockets, focus, mission, and critical infrastructure targeting. It should be a realistic, if not terrifying, call to action.”

My CXO source said LAPSUS$ succeeded because they simply refused to give up, and kept trying until someone let them in.

“They were going to keep jamming a few people to get [remote] Arrive, read some documents on board, and register a new 2FA [two-factor authentication method] And sneak code or secrets, like a smash-and-grab game,” CXO said. “These guys weren’t ready, just damn persistent.”

How did we get here?

The smash and hijack attacks carried out by $LAPSUS are obscuring some of the group’s less general activities, which according to Microsoft includes targeting individual user accounts on cryptocurrency exchanges to drain cryptocurrency holdings.

In some ways, the attacks from $LAPSUS mark the July 2020 Twitter break-in in which the accounts of Apple, Bill Gates, Jeff Bezos, Kanye West, Uber and others were made to tweet messages calling on the world to participate in a cryptocurrency scam and promising to double any amount sent to specific portfolios. The flash scam offenders made over $100,000 in the hours that followed.

The group of teens who hacked Twitter came from a community that traded in hacked social media accounts. This community places a special premium on accounts with short “OG” usernames, and some of its most successful and notorious members have been known to use all the methods Microsoft attributes to LAPSUS$ in hijacking precious OG accounts.

Twitter hackers write that they have largely succeeded in eliminating it by brute force wired On July 15, 2020.

Wired reported that “someone was trying to defraud the employee’s credentials, and he was pretty good at it.” “They were calling consumer service and tech support staff, asking them to reset their passwords. Several of the employees passed messages to the security team and got back to work. But a few naive—maybe four, maybe six, maybe eight—were more accommodating. They were more accommodating. They went to a fake website controlled by the hackers and entered their credentials in a way that provided their usernames and passwords as well as multifactor authentication codes.”

Twitter I showed That one of the group’s main tactics was “phone spear phishing” (also known as “voice phishing” aka “phishing”). This involved summoning Twitter employees using fake identities, and tricking them into giving up credentials to an internal company tool that allows hackers to reset passwords and multifactor authentication settings for targeted users.

In August 2020, KrebsOnSecurity warned that scammers are using voice phishing to target new hires at major companies, impersonating IT employees and asking them to update their VPN client or log into a phishing website that mimics their VPN company’s login page.

Two days after that story was published, it appeared FBI and the Cyber ​​Security and Infrastructure Security Agency CISA has issued its own warnings about phishing, saying that attackers typically collect files on employees at certain companies by collecting public profiles on social media platforms, recruitment and marketing tools, publicly available background check services, and open source research. The FBI/CISA joint alert continued:

“Representatives initially started using unattributed Voice over Internet Protocol (VoIP) numbers to contact targeted employees on their personal cell phones, and later began incorporating spoofed numbers for offices and other employees of the victim company. The actors used social engineering techniques and, in some cases, even filmed as members of the victim company’s IT help desk, using their knowledge of the employee’s personally identifiable information—including name, occupation, tenure at the company, and home address—to gain the target employee’s trust.”

Then the representatives convinced the target employee that a new VPN link and a login request would be sent, including any 2FA [2-factor authentication] or OTP [one-time passwords]. The representative recorded the information provided by the employee and used it in real time to access the company’s tools using the employee’s account.”

Like $LAPSUS$, these hunters continued their social engineering attacks until they succeeded. As Krebs on Security wrote about hackers in 2020:

“The attackers don’t matter much if the first few attempts at social engineering fail. Most of the targeted employees work from home or can be reached via a mobile device. If the attackers are unsuccessful at first, they simply try again with a different employee.”

“With each passing attempt, scammers can obtain important details from employees about the target’s operations, such as the company’s own terminology used to describe its various online assets, or the company’s hierarchy.”

“Thus, every failed attempt actually teaches the scammers how to improve their social engineering approach with the next tag within the target organization.”

smash and grab

The primary risk with smash-and-grab groups like LAPSUS$ is not only their persistence but their ability to extract as much sensitive information from their victims using compromised user accounts that usually have a short lifespan. After all, in many attacks, stolen credentials are only useful as long as the spoofed employee is also not trying to use them.

This dynamic puts an enormous strain on the cyber incident response teams, which are suddenly faced with insiders trying frantically to steal everything of perceived value within a short period of time. Furthermore, LAPSUS$ has a habit of posting screenshots on social media to promote its access to the company’s internal tools. These images and allegations spread rapidly and create a public relations nightmare for the victim organization.

Single sign-on provider eight I encountered this firsthand last month, when $LAPSUS posted screenshots showing Okta Slack channels and others with a Cloudflare interface. Cloudflare responded by resetting Okta’s employees’ credentials.

Okta was soon criticized for posting only a brief statement that said screenshots shared by $LAPSUS were related to a January 2022 incident involving the settlement of a “third-party customer support engineer working for one of our subprocessors that was ‘investigated and contained by the subprocessor'” .

It seems that this assertion did not go well with many Okta customers, especially after launching LAPSUS $ Publication of statements disputing some of Okta’s allegations. On March 25, Okta issued an apology for its handling of the January breach at a third-party support provider, which ultimately affected hundreds of its customers.

My CXO source said the lesson from $LAPSUS$ is that even short-term intrusions can have a long-term negative impact on victim organizations — especially when victims don’t communicate immediately about details of a security incident affecting clients.

“It forces us to think differently about access from within,” the external relations officer told KrebsOnSecurity. Nation-states have usually wanted longer strategic access; Ransomware groups want significant sideways movement. $LAPSUS doesn’t care, it’s about “what can these 3 accounts get you in the next 6 hours?” We haven’t improved to defend that.”

Any organization wondering what they can do to strengthen their systems against attacks from groups like LAPSUS$ should refer to Microsoft’s recent blog post about the group’s activities, tactics, and tools. Microsoft’s guidelines include recommendations that can help prevent account takeovers or at least mitigate the impact of stolen employee credentials.