The LAPSUS$ extortion group has gone quiet following a notorious and rapid rise through the threat landscape, targeting companies including Microsoft, NVIDIA, and Okta, and earning notoriety for its freewheeling, decentralized approach to cybercrime.
However, researchers said the group is likely not gone — and, in any case, its "brazen" tactics may leave a legacy.
A new report from exposure management specialist Tenable digs into the group's background and the tactics, techniques, and procedures (TTPs) it has used, maturing from distributed denial-of-service (DDoS) attacks and website vandalism to more sophisticated methods. These include the use of social engineering techniques to reset user passwords and co-opt multifactor authentication (MFA) tools.
"Characterized by erratic behavior and outlandish demands that cannot be met — at one point, the group even accused a target of hacking back — the LAPSUS$ group’s tenure at the forefront of the cybersecurity news cycle was chaotic," the report notes.
Chaos, Lack of Logic Part of the Plan
"You could absolutely call LAPSUS$ 'a little punk rock,' but I try to avoid making bad actors sound that cool," notes Claire Tills, senior research engineer at Tenable. "Their chaotic and illogical approaches to attacks made it much harder to predict or prepare for the incidents, often catching defenders on the back foot."
She explains that perhaps due to the group’s decentralized structure and crowdsourced decisions, its target profile is all over the place, which means organizations can’t operate from the "we're not an interesting target" point of view with actors like LAPSUS$.
Tills adds that it’s always hard to say whether a threat group has disappeared, rebranded, or just gone temporarily dormant.
"Regardless of whether the group identifying themselves as LAPSUS$ ever claims another victim, organizations can learn valuable lessons about this type of actor," she says. "Several other extortion-only groups have gained prominence in recent months, likely inspired by LAPSUS$’s brief and boisterous career."
As noted in the report, extortion groups are likely to target cloud environments, which often contain sensitive, valuable information that extortion groups seek.
"They are also often misconfigured in ways that offer attackers access to such information with lower permissions," Tills adds. "Organizations must ensure their cloud environments are configured with least-privilege principles and institute robust monitoring for suspect behavior."
As with many threat actors, she says, social engineering remains a reliable tactic for extortion groups, and the first step many organizations will need to take is assuming they could be a target.
"After that, robust practices like multifactor and passwordless authentication are critical," she explains. "Organizations must also continuously assess for and remediate known-exploited vulnerabilities, particularly on virtual private network products, Remote Desktop Protocol, and Active Directory."
She adds that while initial access was typically achieved through social engineering, legacy vulnerabilities are invaluable to threat actors when seeking to elevate their privileges and move laterally through systems to gain access to the most sensitive information they can find.
LAPSUS$ Members Likely Still Active
Just because LAPSUS$ has been quiet for months does not mean the group is suddenly defunct. Cybercrime groups often go dark to stay out of the spotlight, recruit new members, and refine their TTPs.
"We would not be surprised to see LAPSUS$ resurface in the future, possibly under a different name in an effort to distance themselves from the infamy of the LAPSUS$ name," says Brad Crompton, director of intelligence for Intel 471’s Shared Services.
He explains that even though LAPSUS$ group members have been arrested, he believes the group’s communication channels will stay operational and that many businesses will be targeted by threat actors once affiliated with the group.
"Additionally, we may also see these previous LAPSUS$ group members develop new TTPs or potentially create spinoffs of the group with trusted group members," he says. "However, these are unlikely to be public groups and will probably enact a higher degree of operational security, unlike their predecessors."
Money as the Main Motivator
Casey Ellis, founder and CTO at Bugcrowd, a crowdsourced cybersecurity provider, explains that cybercriminals are motivated by money while nation-states are motivated by national goals. So, while LAPSUS$ isn't playing by the rules, its actions are somewhat predictable.
"The most dangerous aspect, in my opinion, is that most organizations have spent the last five or more years developing symmetric defensive strategies based on threat actors with reasonably well-defined definitions and goals," he says. "When a chaotic threat actor is introduced into the mix, the game tilts and becomes asymmetric, and my main concern about LAPSUS$ and other similar actors is that defenders haven't really been preparing for this type of threat for quite some time."
He points out LAPSUS$ relies heavily on social engineering to gain an initial foothold, so assessing your organization's readiness to social engineering threats, both on the human training and technical control levels, is a prudent precaution to take here.
Ellis says while the stated goals of LAPSUS$ and Anonymous/Antisec/Lulzsec are very different, he believes they will behave similarly in the future as threat actors.
He says the evolution of Anonymous in the early 2010s saw various subgroups and actors rise to prominence, then fade away, only to be replaced by others that replicated and doubled down on successful techniques.
"Perhaps LAPSUS$ has vanished completely and forever," he says, "but, as a defender, I wouldn't rely on this as my primary defensive strategy against this type of chaotic threat."