EXECUTIVE SUMMARY:

Lapsus$ represents a relatively new entrant in a cut-throat cyber criminal world, but the group has become one of the most publicly active hacking and extortion gangs of this year, establishing itself through a series of high-profile hacks. The group specializes in stealing data from large enterprises.

After targeting enterprise technology companies and obtaining data, Lapsus$ sometimes demands a ransom, and sometimes posts the stolen information on its Telegram channel, which retains 47,000 subscribers.

In demonstrations of the group’s attention-seeking behavior, Lapsus$ engages extensively with its Telegram follows. For example, the group posts interactive polls requesting suggestions for future government and corporate targets.

Lapsus$ gains notoriety

The US Cybersecurity and Infrastructure Security Agency (CISA) placed Lapsus$ on its radar after the group managed to breach the Brazilian Ministry of Health, several US-based Fortune 100 firms, and the Montreal-based gaming company Ubisoft. The Lapsus$ hackers have stealthily obtained source code for numerous high-value products and service offerings.

Most recently, Lapsus$ targeted the San Francisco-based account authentication firm, Okta. Because thousands of government and private sector organizations use Okta’s software, the incident has inspired significant security concerns. Hundreds of the company’s clients have been impacted.

“Through private keys retrieved within Okta, the cyber gang may have access to corporate networks and applications. Hence, a breach at Okta could lead to potentially disastrous consequences,” writes Check Point Software.

Lapsus$ cyber criminal information

Initially, Lapsus$ was believed to operate out of South America, and some considered it a possible front for a government-backed hacking group. Since then, Lapsus$ members have expressed that the group is not nation-state backed and that motivations are financial in nature.

Although the investigation remains ongoing, the BBC reports that a 16 year-old autistic teenager may serve as the leader of the cyber crime group. Seven individuals across London have since been arrested as suspected group members.

While the aforementioned information could easily lead professionals to dismiss Lapsus$ as a group of amateurs, their tactics and exploits should prompt anyone in charge of organizational security to take the group seriously.

Protect against compromised identities

According to Microsoft, the Lapsus$ hackers leverage large-scale social engineering and extortion campaigns to achieve their nefarious objectives. In select cases, the group has paid employees or suppliers of businesses to provide access to networks and systems. Okta is believed to have been breached through the compromise of customer support engineers.

If your organization is concerned about similar identity-access focused breaches, there are a variety of solutions and techniques that can assist you in protecting identities, detecting compromised identities, and suspicious identity behavior.

  • Cloud Guard Intelligence– Continuously analyzes account activity across cloud services (GCP, AWS & Azure) detecting anomalies that may indicate compromised identities.
  • Cloud Guard Posture management provides a IAM Safety capability that enables an AWS IAM Dynamic Authorization solution, providing protection against malicious cloud control plane attacks and unintentional privileged user error.
  • Organizations may also wish to implement multi-factor authentication wherever possible, to avoid simple voice approvals, and to increase awareness among employees and IT help desks around social engineering attacks.
  • Further, ensure that critical data is backed up online and offline, secure back-up data, keep computers patched and up-to-date, disable unused remote access, audit user accounts with administrative privileges and configure appropriate access controls, and implement network segmentation.

Actionable insights for Okta customers

Check Point Research strongly advocates for Okta customers to exercise extreme vigilance and to strengthen cyber security practices.

If you are using Okta to authenticate Check Point Products, Check Point Software recommends review auditing and log-in activities recently done with Check Point products. More detailed information can be found on Check Point’s blog.

For more information about Lapsus, click here. Lastly, to receive cutting-edge cyber security news, insights, best practices and analyses in your inbox each week, sign up for the CyberTalk.org newsletter.