Protecting the Cloud From LAPSUS$-like Threats

Protecting the Cloud from lapsus$ like
With high-profile attacks on Microsoft, Okta, and other major tech companies, cybercrime group LAPSUS$ made headlines a few months ago. UK police have since arrested seven suspected members, aged between 16 and 21, but does that mean the threat has been averted? Certainly not: similar attacks can and will follow. Therefore, it is worth taking a look at the techniques and tactics used to learn the appropriate lessons and prepare for similar future attacks of this nature.

Unlike most ransomware groups that use malicious payloads to mass encrypt and exfiltrate data, the LAPSUS$ group uses simple but effective social engineering techniques to infiltrate environments and steal sensitive data. According to Microsoft, the tactics used specifically include “phone-based social engineering;

SIM swapping to facilitate account takeover; accessing personal email accounts of target company employees; paying target company employees, vendors, or business partners to access credentials and authorize multifactor authentication (MFA); and penetrating their targets’ ongoing crisis communications conversations.” In addition to these social engineering methods, LAPSUS$ employs tools to search public code repositories that identify exposed credentials or open RDP ports, as well as “redline” software that steals passwords directly from the user.

Once the cybercriminals have obtained the credentials and bypassed the MFA, they penetrate the corporate network and public SaaS applications and begin searching for sensitive data. As part of their attack path, they search private GitHub repositories and collaboration platforms such as Google Drive and Microsoft 365 for more credentials (preferably from privileged users and administrators) to extend their privileges and expand their reach.

Instead of encrypting the data before exfiltration, they download the data directly through a VPN or virtual machine. They then attempt to destroy the originals of the data, leaving companies with no choice but to pay to recover the data or risk the hackers selling or publishing it online.

Sequence of The Attack

Security researcher Bill Demirkapi obtained a copy of the Mandiant investigation report with a detailed timeline of techniques used in a recent LAPSUS$ intrusion. In it, LAPSUS$ showed some lack of OPSEC sophistication after the intrusion: The attackers searched Bing and Google from the victim’s machine for commercially available hacking tools and downloaded them directly from GitHub. According to Mandiant’s report, they used Process Hacker, Process Explorer, and Mimikatz to gain visibility, gain a foothold, disable FireEye’s endpoint agent and escalate their privileges.

Thus, they compromised a user’s Microsoft 365 account and started looking for sensitive files. They found an Excel file named DomAdmins-LastPass.xlsx in a shared location. The file likely contained admin credentials in plain text that allowed the attacker to create additional accounts, add the accounts to a group called “tenant administrators,” and set up auto-forwarding rules to BCC emails sent to sykes.com mailboxes outside the organization.

Detect and Defend Against SSO, IAM and SaaS attacks.

LAPSUS$-like threats are difficult or impossible to detect with traditional perimeter and endpoint security alone. Attackers spend very little time on the endpoint before moving to cloud applications with stolen credentials or cookies. There are no specific hashes, registry keys, and other static IOCs that trigger alerts. Accordingly, LAPSUS$-style attacks should be treated as insider attacks. As a general rule, one should always assume that the perimeter has been breached. Therefore, it is important to limit the access rights of employees and to watch out for unusual behavior.

Reduce Access Rights to The Necessary Level and Thus Also Reduce Risks.

Protecting the Cloud From LAPSUS$-like Threats

The goal of most cyberattacks is to steal valuable data and, in the case of ransomware attacks, encrypt it. Knowing who can access what data and eliminating excessive exposure is key to reducing the blast radius. In the event that a single account is compromised, it is important to ensure that the attackers need elevated access privileges to do greater damage.

Right-sizing access starts with visibility into permissions. Of critical importance here is an inventory of super admins across cloud applications. Depending on the application, it can be difficult to determine who has privileged access. In Salesforce, for example, one can create a custom user profile that mimics an administrator account but has an innocuous name like “sales user.” Therefore, policies should be set up to alert when a user is added to a permission group or given super administrator rights. In most organizations, this action should be extremely rare, so the alerts are highly reliable.

READ:  How Does RADIUS Work?

Another way to dramatically reduce risk is to proactively identify where sensitive data is accessible publicly, to guest users (such as partners or contractors), or to all users in an organization. Reducing access to sensitive data makes it harder for groups like LAPSUS$ to find data that is worthwhile to them. This is true for both in-house employees and outsiders, who are often targeted by cybercriminals and paid to “give up” their access.

Only when security managers are able to quickly identify a user’s credentials across multiple SaaS applications and data stores can the extent of a compromise be classified within a short period of time, making investigation, response and disclosure faster and more conclusive. On multiple occasions, LAPSUS$ gained access to the virtual desktop of an employee who was already logged into multiple SaaS applications such as GitHub and Jira. Since an individual may have multiple user accounts in a multi-cloud environment, it is important to automatically link these identities so that potential access can be assessed and that person’s log events can be easily aggregated.

Monitor User Behavior Across Different Applications and Systems.

Once the perimeter is breached, analyzing user behavior and data activity is an effective way to detect and stop an attacker masquerading as a regular user. Even if a group like LAPSUS$ does extensive research and exploration on the compromised user, it cannot perfectly mimic their behavior, especially when moving through the enterprise environment and accessing and downloading large amounts of data.

READ:  Foreign State Power in Domestic Cyberspace

It is fundamental to capture the “normal behavior” of all users and all critical applications and data. This profile includes, for example, which files/folders are typically used by the respective employee in M365, Box, Google, etc., which websites and apps are used in which way, and with which devices, IPs, and geodata they typically gain access. Once comprehensive profiles are available for the normal state, sophisticated ML algorithms can detect even minor variations that could indicate compromised or malicious insiders.

LAPSUS$ is a prime example of this: even though the attackers have a person’s credentials, phone number, recovery email, and IP address, they are still not that person. As they move through the environment, they search, open, and download data according to patterns that do not match those of the person in question.

Sophisticated solutions can detect when a user is accessing or downloading an unusual amount of sensitive data, accessing data they don’t normally use, sharing sensitive data publicly, or reusing an account after a long period of inactivity. The more comprehensive the context is across multiple cloud applications, the more accurately anomalies can be detected.

This is why holistic monitoring of cloud services is necessary: Cybercriminals move laterally from one cloud service to the next to maximize the impact of their attack. In doing so, as was also seen with LAPSUS$, they often use credentials found in one cloud application to gain access to another. That’s why it’s important to monitor all cloud data stores and track how employees move between them so this type of lateral movement can be detected and stopped.

LAPSUS$ clearly demonstrated to us that it is very easy for even inexperienced attackers to do significant damage in a short period of time. That’s why security managers need to pay even closer attention to greater cloud visibility and behavior-based detection. Only by wisely combining these two elements will they be able to detect and prevent LAPSUS$-style attackers and data exfiltration.