The Lapsus$ cybercriminal collective has been making headlines in recent weeks. After several high-profile attacks, the security community is turning its gaze toward this new threat actor and its techniques.

The Okta incident also reveals some details of their techniques. Microsoft has now published an in-depth blog post detailing the activities it has observed associated to DEV-0537, its reference name for Lapsus$. Cybersecurity blog Krebs on Security has a deeper dive into some of the group's activities, confirming several of Microsoft's findings.

High-Profile Attack
Lapsus$ has taken credit for or been associated with a number of high-profile attacks since December 2021. This quick rise to prominence is interesting in that each of these attacks involved a specific extortion demand.

Ransomware gangs have a clear focus on profits. They breach your system, lock you out of your data, and demand payment to restore that access. Recently, we've seen ransomware gangs double down on profits by also threatening to release sensitive data after organizations have paid the initial ransom.

Other cybercriminals seek to capture your resources to resell in the underground. This can be very profitable as they are selling resources that you're paying for.

Motivation behind Lapsus$ attacks is murkier. It seems to switch between extortion and chaos. This makes it harder to predict and contain the group's efforts.

Targeting Support
One thing that is clear is Lapsus$'s preferred access technique. It is very good at exploiting the fact that your users need to work.

With some attacks, the group has targeted third-party support resources in order to attack their targets. Outsourcing support is common for technology companies. This relationship creates a vulnerability that this cybercriminal group is exploiting.

Using social engineering techniques, it has been able to reset user passwords and co-opt multifactor authentication (MFA) tools to gain access to legitimate credentials in its victims systems.

When that fails, the group isn't above bribing employees for that access. In fact, it's actively advertising this approach. The group knows that support employees, especially third-party ones, are vulnerable to bribes and the return on investment makes this approach worth it for Lapsus$.

Targeting Users
In its post, Microsoft provides some details showing how the group also targets users' personal devices in order to gain information on their work systems.

Personal devices aren't typically monitored, meaning there's a greater chance that an attacker can gain a foothold. Making matters worse, most people use their personal device for MFA. This provides an opportunity for the attacker, one that Lapsus$ appears to be taking advantage of.

The group is also deploying more "standard" techniques like the Redline Stealer password tool, purchasing credentials from other compromises, and using Mimikatz to harvest passwords from networks it has access to.

Once the group has access to legitimate credentials, it accesses an organization's network and looks to expand that foothold as quickly as possible.

Gaining Cloud Access
Microsoft has observed the group leveraging cloud access in AWS and Azure. Unlike when the group exports user access, the cloud presents a new opportunity.

If it is able to gain access to an organization's cloud accounts, it moves to create a global administrator and restrict all other access, effectively locking teams out of this cloud infrastructure.

What Can We Learn From Lapsus$?
Taking a step back, these attack avenues share a common approach. They all attempt to leverage valid credentials and abuse whatever permissions have been granted to that identity.

Screenshots from the Okta breach show the typical work tools provided to support engineers. In the wrong hands, they could negatively affect your reputation or expose your customers … as we have seen.

These attacks are a stark reminder that authentication (who are you?) and authorization (what can you do?) are critical to your security posture.

For authentication, a strong passphrase strategy is a must. The latest NIST guidelines are a great starting point. If you haven't already applied them within your organization, that work should start immediately.

Simply put: long passphrases, rotate them when there's an issue or once a year, use a password manager, and use MFA wherever possible.

When it comes to authorization, the principle of least privilege rules the day. Permission grants have a nasty habit of expanding over time. Permissions should be regularly reviewed and over provisioned access removed.

Was That Bad?
Despite your best efforts around authentication and authorization, a breach can still happen. There's too much money at stake for cybercriminals to stop trying.

This leads to the question, "How do you determine if an authorized entity's actions are malicious?"

Let's say a system in your cloud account typically accesses a database every minute. It's a pretty consistent pattern that reflects the overall system use. The system is authorized to access that database, so there's probably nothing to worry about.

But what if that access becomes more frequent? At what point does that change from typical to anomalous behavior? That's hard to answer.

While no system is perfect, anomaly detection-based security controls can help spot abnormal and potentially malicious behavior. These systems examine behaviors and build a baseline of "typical" for that context. Any activity outside of that baseline is flagged. That event is then enriched and a determination made.

Circling back to the system accessing the database, if that access becomes constant for a few minutes and then back to its regular "every minute" cadence, that could raise a flag for abnormal behavior. Combined with other indicators, that could allow your security team to spot an abuse of credentials that was flying under the radar.

What's Next?
No security posture is perfect. The Lapsus$ collective is targeting the biggest weak spot in most security postures: finding anomalous behavior by authorized entities.

This approach requires security teams to strengthen their authentication and authorization practices to prevent compromise of valid credentials. At the same time, teams should be continuously monitoring their environment to out-of-the-ordinary behavior.

But security is more than just technical controls. Teams should also review the processes and procedures used by their support teams (internal and third party). Recent attacks have reminded the security community the importance of these procedures.