LAPSUS$, the group behind the Okta breach disclosed yesterday, has been busy at work. The group also hit Microsoft very recently, and a number of other high profile companies in recent months.
In disclosing the breach, Microsoft has also shared some of the TTPs (Tactics, Techniques, and Procedures) employed by the group in the effort to compromise their targets. Knowing these TTPs is extremely useful as they give us some insight into how to help guard our companies from the attackers- far more useful than just being told to ‘be vigilant’.
Microsoft has indicated that LAPSUS$ seems to be carrying out their attack campaigns by initially compromising a user account that it can then use to gain initial access to a targeted organization. To compromise an account, they have been seen doing the following:
- Deploying the malicious Redline password stealer
- Purchasing credentials and session tokens from criminal underground forums
- Paying employees at targeted organizations (or suppliers/business partners) for access to credentials and MFA approval
- Searching public code repositories for exposed credentials
- Good old fashioned social engineering attacks
- SIM Swap attacks to access SMS and get past MFA
It appears that the main method in use has been the Redline password stealer, which has been seeing quite a bit of use lately. Redline is usually delivered via Phishing email, watering holes, or malicious links on social sites or platforms, such as YouTube and Discord.
LAPSUS$ has then been using these compromised accounts to get the access needed to steal information, source code, etc., that they have been using to pronounce their exploits on twitter.
Microsoft has also shared some solid logical input on what people can do to help protect themselves against groups like LAPSUS$:
- Strengthen MFA implementation
- Require healthy and trusted endpoints
- Leverage modern authentication options for VPNs
- Strengthen and monitor your cloud security posture
- Improve awareness of social engineering attacks
We can extrapolate on this advice, and go a little further:
- Any MFA is better than no MFA, but not all MFA is created equally.
- SMS, Email, Phone Call, and Push Notifications (via Apps) can all be intercepted or, in the case of Push Notifications, can be accidentally approved, so they are less secure.
- Challenge-Response is a superior method (i.e. Authenticator Application creating a 6-digit key that the user provides when challenged)
- Make sure sure you’re keeping your systems up-to-date.
- MFA, MFA, MFA. If you can access any service or login page from the internet. Secure it with MFA.
- Make sure your people are trained on recognizing phishing emails, and that they know how to make a no-blame report when a suspicious link is clicked.
- Alerting and response time is critical when Phishing is successful- and it often is.
- Perform your own searches through public code repositories (GitHub, PasteBin, etc.) to look for potentially sensitive information such as usernames and passwords.
- Ensure that authentication token expiration is set at an appropriate level.
- If tokens do not expire, they may be stolen and used later.
