LAPSUS$ is an extortionist threat group that became active on December 10, 2021. Unlike the majority of extortionist groups that typically rely on a combination of ransomware and data leaks, LAPSUS$ focuses on the monetization of their operations exclusively through data leaks advertised on Telegram without the use of ransomware.
Initially, the group focused on data breaches against Latin American and Portuguese targets, but in late February 2022, LAPSUS$ began expanding the scope of its targeting by announcing that it had successfully breached the US manufacturer Nvidia graphics and computer chips. Since then, LAPSUS$ has continued to focus on large international technology companies, including Microsoft, Okta, and Samsung, because the financial incentive to steal source code and extort sensitive proprietary technical data from companies is high.
Notable LAPSUS$ Goals
LAPSUS$ is different from ransomware collectives in that the group does not encrypt their victims’ files, but rather accesses important files and threatens to flee if extortion is not paid.
Brazilian Ministry of Health
LAPSUS$ claimed its first victim, the Brazilian Ministry of Health, on December 10, 2021. Since then, the group has claimed 19 additional victims, the first 15 of which were all Latin American and Portuguese targets.
LAPSUS$ gained further notoriety when, on January 11, it began redirecting users from the official site to Locationone of the largest car rental conglomerates in Latin America, to a porn site.
On February 8, Vodafone Portugal suffered a cyberattack impacting its 4G and 5G services. Initially, no group claimed responsibility, which was assumed to be either a Distributed Denial of Service (DDoS) attack or a ransomware attack. But on February 24, LAPSUS$ admitted its responsibility in the Attack on Vodafone Portugal on his Telegram channel.
Impresa and Confina
LAPSUS$ breached two of Portugal’s largest media companies: Impresa on January 3 and Confina on February 6.
In perhaps its most high-profile attack to date, LAPSUS$ claimed to have carried out an attack on US graphics and computer chip maker NVIDIA, successfully exfiltrated 1TB of data from the company’s networks, including information owners tied to NVIDIA’s GPUs, which aren’t expected to publicly launch for sale until March 29. Overall, LAPSUS$ has so far released 150 GB of stolen data as of the date of this posting.
The group also offered to separately sell a workaround for Nvidia’s Lite Hash Rate (LHR) limit placed on Nvidia GPUs to make them more inefficient for crypto-mining purposes in a bid to address the global chip shortage. The group said the minimum bid it would accept for the LHR bypass was US$1 million.
On March 4, LAPSUS$ posted a message on its official Telegram channel informing its subscribers that it had carried out an attack on South Korean electronics conglomerate Samsung. The group then disclosed 189 GB of stolen Samsung data and demanded that Samsung contact the group directly to prevent further leaks.
On March 7, Samsung disclosed that it suffered a data breach in which source code for Samsung Galaxy mobile devices was stolen. However, the company said no personal customer or employee information was compromised as part of the breach. Samsung has not named a threat group responsible for the hack.
On March 20, 2022, LAPSUS$ claimed to have hacked into one of Microsoft’s Azure DevOps accounts. Later, on March 22, LAPSUS$ leaked 37 GB of stolen data that allegedly included partial source code for Bing, Bing Maps, and Cortana.
On March 22, Microsoft published a blog post detailing LAPSUS$ and confirmed that only one account was compromised and source code was stolen as a result. However, Microsoft said customer data and code theft were not observed and incident responders were able to stop the malicious activity. Microsoft also said keeping source code confidential is not part of its security methods, because access to it does not increase risk.
On March 22, LAPSUS$ claimed to have remote access and superuser and administrator privileges on multiple Okta systems. LAPSUS$ said it did not steal any data from Okta and instead focused on Okta customers.
In response to the LAPSUS$ claims, Okta issued an official statement on March 22 in which the company revealed that in late January 2022, it detected an attempt to compromise an account belonging to a third-party customer support engineer. . Okta said they investigated the incident and were able to contain it. The company said the screenshots shared by LAPSUS$ appear to be related to this incident in late January, and the company’s investigations have not identified any additional evidence of ongoing malicious activity.
LAPSUS$ and insider threats
Since LAPSUS$ became active in December 2021, they have been actively seeking corporate and government insiders who could provide the group with remote internal network access.
LAPSUS$ pointed out that it was not interested in corporate data stolen from insiders, but was specifically interested in network access, listing VPNs, Citrix and AnyDesk as examples of the type of network access.
On March 10, 2022, LAPSUS$ posted an announcement (below) to recruit Insiders who can provide remote access to the corporate network via VPN or Virtual Desktop Infrastructure (VDI) credentials in the industries following:
- Telecommunications companies
- Large software and/or game companies
- Call centers and business process management (BPM) providers
- Server Hosting Providers
Screenshot of LAPSUS$ Insider Recruitment Ad (Screenshot: Flashpoint).
Even prior to this latest insider recruiting ad, Flashpoint has observed several instances of attempted LAPSUS$ insider recruiting into the LAPSUS$ Telegram group dating back to the founding of the group in December 2021. For example, on December 12, 2021, the group offered to pay potential Brazilian Federal Police insiders within their Telegram group discuss $15,000 for internal network access to the Brazilian Federal Police network.
Although Flashpoint has not observed an example of an insider providing access to LAPSUS$ that then led to a real-world attack, it is likely that if an insider provided access to LAPSUS$ that enabled a attack, these conversations would likely have taken place via private direct messages.
Based on LAPSUS$’s track record of openly soliciting corporate network access, Flashpoint rates with moderate confidence that this is at least one, if not the primary method by which the group obtains a initial access to victim organizations. As the group has also demonstrated a preference for login credentials for remote network gateways, it is also possible that the group obtains some of this access through purchases on the dark web, such as software logs. Browser stealing malware which are easily available for purchase on several dark websites. account shops and marketplaces.
The post office All About LAPSUS$: What We Know About The Extortionist Group appeared first on Breaking point.