What do I need to do about Lapsus$?

Lapsus$ hacking group

Some well-known brands including Microsoft®, Samsung, and Okta have been compromised by hacking group Lapsus$.

Do we need to be concerned and what can we do to reduce our risk?

So far Lapsus$ has taken a very targeted approach. There’s evidence that they’re actively trying to recruit employees of telecommunications companies, large software/gaming companies, and call centre and server hosting providers. This approach allows Lapsus$ gain access and take advantage of these organisations’ business relationships with their customers and supply chain.

Lapsus$ has been offering financial compensation to employees of these organisations in exchange for login credentials for VPN or RDP-related solutions at each targeted organisation.

Once Lapsus$ has established access using the acquired VPN or RDP credentials, their mode of operation is to move laterally by exploiting unpatched vulnerabilities on internally accessible servers. They then search code repositories for further credentials and intellectual property.

After exfiltration, the group has also been known to delete the target’s systems and resources. The aim is to trigger the organisation’s incident response process. The group then goes on to join the organisation’s incident response calls and internal discussion chat forums.

What you can do

As always, cyber security best practice applies, especially with regards to vulnerability management, identity & access management, and security monitoring. To keep yourself protected from Lapsus$, you should:

  • Enforce multifactor authentication for all users accessing your environment. It’s advised to avoid MFA solutions that leverage SMS as they can be susceptible to SIM-jacking.
  • Ensure all devices with access to your environment are trusted, patched, and running up to date security software before granting access (consider ZeroTrust approach for best coverage here).
  • Ensure least privileged access for all your administrator and service accounts (consider Privileged Access Management solution).
  • Ensure you are proactively scanning for and patching vulnerabilities across all your IT assets.
  • Strengthen and monitor your cloud security posture (consider Cloud Posture Security Management and Cloud Access Security Broker solutions).
  • Monitor logs for suspicious activity 24×7 with particular focus on any suspicious activity related to identities and access. Block any medium or high-risk sign-in attempts, creation or modifications, Exchange Online transport rules, or other tenant wide security configuration changes. (Consider SIEM solution, managed SIEM service, and user entity and behavioural analytics solution).
  • Encourage your users to report any suspicious or unusual contact from your organisation’s help desk or third-party IT/ application service providers.
  • Enforce geolocation for all users when using a VPN and force all VPN connections to route the connecting device’s internet connection to the firewall’s network. Next, force a setting to filter all internet bound traffic by a proxy.
  • Set your VPN solution to have certain conditional access requirements via compliance before a user can connect to the VPN. This can include ensuring certain AV protection is running, systems are joined to the domain, devices are on a certain patch level, and so on.
  • Understand your estate’s internet bound traffic and document behaviour to easily flag suspicious traffic.

Organisations that don’t believe they’ll fall into the categories being targeted by Lapsus$ need to be aware that other hacking groups will adopt the tactics, procedures, and techniques utilised by Lapsus$ given the high-profile successes reported in the media. This, along with the current geo-political landscape, can be seen as an early warning sign to revisit security practices to ensure best practices are being followed.