Low-tech tactics and two types of EDR
LAPSUS$ first emerged in December 2021 and made recent news for hacks on other large companies, including Samsung, Impresa, NVIDIA, Vodafone, and Ubisoft. And a recent revelation now includes Apple Inc. and Meta Platforms Inc., the parent company of Facebook, as LAPSUS$ victims as the companies were also tricked into providing customer data to the hackers. In a detailed blog post, security researcher Brian Krebs outlines how LAPSUS$ is using what he refers to as âlow-tech but high-impact methodsâ to gain access to targeted organizations.
It involves abuse of emergency data requests (EDR). The criminals accomplish this by compromising and obtaining credentials that belong to law enforcement officials. Once they have access to these credentials, they can send unauthorized requests for subscriber data to phone companies, internet service providers, and social media sites under the guise that the that the requested information is urgent and related to a matter of life and death that cannot wait for a court orderâtherefore bypassing the usual legal review process and prompting an immediate issue of the sensitive data.
âIt is now clear that some hackers have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate,â Krebs writes. âUsing their illicit access to police email systems, the hackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately.â
Influencers in the industry are also pointing to questions surrounding the other type of EDR: endpoint detection and response. Analysis of the Okta breached reveals that LAPSUS$ infiltrated Okta's network through the compromised laptop of a support engineer working with Sitel, a third-party customer support firm. The access was accomplished through remote desktop protocol (RDP), an increasingly common way for criminals to access systems.
LAPSUS$, according to a tweet from researcher Bill Demirkapi (@BillDemirkapi) âused off-the-shelf tooling from GitHub for the majority of their attacks. After downloading Process Explorer and Process Hacker, LAPSUS$ bypassed the FireEye endpoint agent by simply terminating it.â
Infosec researcher Greg Linares, who goes by the Twitter handle @Laughing_Mantis weighed in with this advice:
â#BlueTeams I am gonna need you to stop what you are doing today and do this one homework assignment for me in light of LAPSUS$. What happens when your EDR on a client gets terminated unexpectedly: - Does it restart? - Do you get alerts. - Do you lock down the system & start IR?â he tweeted. âIf someone can terminate your EDR client in its current config and you do not get an alert, it doesnât attempt to restart automatically, and this doesnât trigger a lock down or IR response. IT IS MISCONFIGURED.â
Security researcher Joe Helle (@joehelle) also tweeted that the Okta breach is a spotlight on EDR technologies: âLAPSUS$ installed Process Explorer and Process Hacker and terminated FireEye. I hope the decision makers are paying attention to this, and that the shiny EDR you just paid for isn't all you need to secure your environments.â
Teens in trouble
In late March, the City of London Police arrested and released seven alleged LAPSUS$ members between ages 16 and 21. However, the arrests appear not to have slowed their activity, and despite their age, they should not be underestimated, according to sec experts.
âLAPSUS$ is no joke,â tweeted TrustedSec founder Dave Kennedy, who goes by the handle @HackingDave. âOkta, Microsoft, LG and others. Seeing a number of orgs hit and ones that are pretty far along sec maturity wise. They are taking advantage of gaps in detection, EDRs + more. Cloud visibility and understanding baseline behavior is critical. Red alert.â
âIt's tempting to dismiss LAPSUS$ as childish and fame-seeking. That may be true. But everyone in charge of security should know that this level of social engineering to steal access is the new norm,â noted security author Brian Krebs (@briankrebs)
Security researcher Jake Williams (@MalwareJake) agrees.
âI've seen some otherwise smart cybersecurity people throwing shade as Lapsus$ like âthey're just a bunch of disorganized kids.â Um, okay, but whoever they are, they're pretty darn effective. Like it doesn't really matter who they are if they're beating your security controls.â
Linares says he expects their recent success will likely prompt further growth.
âIt would be really interesting to see the latest LAPSUS$ leaks & IOCs. I am strongly guessing other members of the group are stepping up and forming this newer rag tag LAPSUS$ group. Releasing data post bust to show a group is still active is classic recruitment strategy.â |
