Lapsus$

TWiC | Lapsus$ Ransomware, LastPass Hack & MS ZeroDay

The past couple of weeks have been busy ones for the world of cybersecurity. Multiple companies have disclosed serious hacks that have led to breaches of customer data and overall system availability. In this week’s security advisory, nGuard will detail some of these incidents and their impact on the cybersecurity landscape.

Cisco Data Breach Attributed to Lapsus$ Ransomware Group

The Lapsus$ crime gang is back at it again with an attack on the networking giant, Cisco. About a month ago, Cisco had disclosed that its systems were breached. A social engineering attack led adversaries on a pathway to overtaking an employee’s Google account. Saved credentials were then obtained from the browser and voice communications were utilized to trick the unsuspecting employee into accepting a multi-factor authentication push notification. Cisco believes the end goal of the attacker was to deploy ransomware on the network after gaining access to multiple systems. Cisco is reporting that attempts to deploy ransomware were unsuccessful.

LastPass Says Hackers Had Internal Access For Four Days

Lastpass reported a breach back in August and are now releasing some more details about the compromise. They are now reporting that an attacker had internal access to the company systems for four days before they were detected. Lastpass worked with a cybersecurity firm to investigate the incident and found that no customer data or password vaults were accessed during this time. LastPass maintains that your master password, and the keys used to encrypt and decrypt data, are never sent to LastPass’ servers, and are never accessible by LastPass. The attacker was however able to access a developer endpoint and poke around the development environments.

Microsoft Patches a New Zero-Day Affecting All Versions of Windows

Microsoft is patching another zero-day vulnerability affecting all supported versions of Windows. This zero-day is reported as being used in real-world attacks. CVE-2022-37969 is a privilege elevation flaw in the Windows Common Log File System Driver. This is utilized for data and event logging. Once a system is compromised, this vulnerability can be used to escalate user privileges to the highest level, SYSTEM. 4 different security firms reported this vulnerability to Microsoft which makes them believe this could be widely used in real-world scenarios. They recommend patching immediately.

nGuard closely monitors trends in the world of cybersecurity and applies those trends to assessment activities and managed security services. Having penetration testing conducted periodically against network assets, web applications, and other critical infrastructure can prevent data breaches before they happen. Putting your employees through social engineering campaigns to test their security readiness can boost awareness. Having a security first mindset is essential in protecting the valuable data of organizations.

URGENT NSA Cybersecurity Advisory

Weak Security Controls

Last week, multiple government agencies released a joint Cybersecurity Advisory to raise awareness about insufficient security configurations, weak controls, and other areas where cyber criminals easily gain access to company networks. This advisory lists out the best practices to protect your systems and goes into them in detail:

Control access.
Harden credentials.
Establish centralized log management.
Use antivirus.
Employ detection tools.
Operate services exposed on internet-accessible hosts with secure configurations.
Keep software updated.

This advisory also details some of the most common ways that attackers are gaining access to internal networks and explains the mitigation efforts that can be taken to prevent such attacks:

Exploit Public-Facing Applications
External Remote Services
Phishing
Trusted Relationship
Valid Accounts

It is essential that all organizations read or review this advisory and become familiar with the list of common exploit paths that attackers take to easily gain access to systems within the internal network. “As long as these security holes exist, malicious cyber actors will continue to exploit them,” said NSA Cybersecurity Director Rob Joyce. “We encourage everyone to mitigate these weaknesses by implementing the recommended best practices.” This advisory can be reviewed in detail here.

nGuard provides a wide variety of both tactical and strategic security assessments that can assist your organization in becoming more secure across the board. Tactical security assessments like external penetration testing, internal penetration testing, and social engineering can point out easily exploitable flaws that could lead an attacker to gaining some type of network access. Managed security services like vulnerability management and centralized log management provide ongoing protection as your network is being scanned for known vulnerabilities on an ongoing basis. Strategic security assessments give you one on one time with a qualified consultant who can help you build layers of security from the ground up. If you are reading this advisory and have any questions, nGuard is ready to talk with you and see where assistance is needed.

Multi-Factor Prompt Bombing Attacks

What Is It?
Multi-factor authentication (MFA) prompt bombing is a specific social engineering attack that bombards its victims with countless MFA push notifications. Generally, when people think of social engineering attacks, they think of suspicious emails or unexpected phone calls. However, MFA prompt bombing can be an even more effective strategy to gain access to people’s data, due to the fact it specifically uses social engineering tactics that target the human factor. Below are a few different ways these MFA prompt bombing attacks are carried out:

Send a large number of MFA prompt requests in hopes the user accepts to stop the distraction or annoyance.
Send only a small number each day in hopes a user accepts at some point. This method is stealthier and is more likely to fly under the radar as a malicious attack.
Call the user advising them they need to send an MFA prompt and they need to accept it.

The victim may ignore the first few notifications or calls, but at some point, may click accept to stop the annoyance and get back to what they were focusing on – all while not realizing what they have just done.

More and more authentication portals are adding the ability or requirement to

enable MFA notifications as a secondary form of authentication. The Center for Internet Security (CIS) Control 6 – Access Control Management requires MFA for external facing applications, remote network access, and administrative access. This attack is on the rise and will not be going away any time soon.

Recent Attacks Using This Technique
Back in March, nGuard released a Security Advisory about the Lapsus$ Crime Gang infiltrating Microsoft, Okta, and others. It turns out the group utilized this technique to gain access to these organizations. Lapsus$, in their Telegram channel said, “No limit is placed on the number of calls that can be made. Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.”

The image below shows a conversation from their Telegram Channel discussing how they were going to attempt this attack:

The SolarWinds breach that occurred last year that allowed APT29 (Cozy Bear), a group out of Russia, to create backdoors in 18,000 SolarWinds customer’s environments utilized this very same technique.

nGuard’s Experience with MFA Prompt Bombing
nGuard has been using this attack in our social engineering methodology for quite some time. Using these tactics, nGuard has successfully gained access to client’s VPN portals protected by MFA to obtain internal network access numerous times. nGuard has also used this attack to gain access via an organization’s single sign-on (SSO) page, giving us access to many sensitive internal applications. To protect your organization from this attack you can:

Conduct regular social engineering assessments to reinforce training.
Train employees to only accept MFA prompts when they are actively authenticating to a service.
Train employees to never give out MFA SMS codes to anyone.
Report the unsolicited MFA prompts as fraudulent.
Create alerts for anomalous events such as:
- Time of access
- Geolocation
- Large number of MFA prompts events
Draft a policy that states whether and how personal information is to be requested of employees via telephone.
Conduct employee training to raise awareness of social engineering techniques.
Train employees to identify and report suspicious requests for personal information.
Segment employee workstations from higher security zones in the internal network to reduce exposure of critical internal systems to attack from compromised workstations.

If you want to test your users’ likelihood of falling victim to such social engineering attacks, contact your Account Executive or Security Consultant for more information.

Lapsus$ Crime Gang: Hacking Microsoft, Okta, and More

Lapsus$ is a hacking group that first appeared in December of 2021 when they were extorting Brazil’s Ministry of Health. Recently they have been in the news for posting information and screenshots from internal breaches of companies like Microsoft, Nvidia, and Okta. Lapsus$ is unorthodox in their operations in that they do not operate on the dark web or on any social media platforms. Instead, Lapsus$ leverages email and a public Telegram channel which now has over 45,000 members. Lapsus$ does not attempt to hide any of their activity or cover their tracks. In fact, they have been known to join Zoom calls of organizations they have compromised and interrupt their incident response process.

With such high profile targets, it was initially thought that Lapsus$ was state-sponsored but it has been reported that their head is a multi-millionaire 16-year-old teenager in Oxford, England. Researchers tracking the group have said, “The teen is so skilled at hacking — and so fast — that researchers thought the activity they were observing was automated.” Lapsus$ has been spotted recruiting on various online platforms since November 2021. Recruiting ads offering $20,000 a week to perform SIM swapping for AT&T, Verizon, and T-Mobile customers.

Although the group has done significant damage already, the good news is London Police have arrested seven individuals, all 16 to 21 years old in connection with the hacking group.

Microsoft Breach Last week, Microsoft confirmed Lapsus$ was responsible for obtaining and leaking about 37 GB of pieces of their source code for Bing, Cortana, and over 250 Microsoft projects via access it had through a single account. Lapsus$ initially obtained access via stolen credentials which allowed privileged access and the exfiltration of data.

Microsoft has been tracking Lapsus$ for some time now, calling it DEV-0537. Microsoft’s Threat Intelligence Center stated, “… the objective of DEV-0537 actors is to gain elevated access through stolen credentials that enable data theft and destructive attacks against a targeted organization, often resulting in extortion. Tactics and objectives indicate this is a cybercriminal actor motivated by theft and destruction.”

Okta Breach

Okta, a single-sign-on identity management service that works in cloud and on-premises environments announced Lapsus$ was able to gain access to one of their employee’s laptops for five days in January. The access was originally obtained through subprocessor Sykes Enterprises which is owned by Sitel Group. Lapsus$ utilized compromised credentials to access Sykes Enterprises. It was discovered the credentials were used on VPN gateways. Once Lapsus$ had access they discovered a file on Sitel’s network called DomAdmins-LastPass-xlsx. This would indicate a file with Domain Administrator passwords from the password manager LastPass was exported and saved locally. Lapsus$ was able to pivot to Okta’s network and posted screenshots of their access.

Some screenshots from the incident response investigation were posted showing the timeline of events and activity. Activity such as searching Bing for privilege escalation tools on GitHub, disabling endpoint protection agents, and searching and downloading Mimikatz –a tool to extract and save authentication credentials and Kerberos tickets from a host — were performed during the attack.

Okta has faced a wave of criticism on their slow response to the breach after receiving the incident response report. Okta chief security officer David Bradbury said the company “should have moved more swiftly to understand its implications.” As of now, Okta has stated the breach has impacted 366 of their customers during the 5-day period of the attack.

Other Attacks

Lapsus$ has been highly active in the recent months. To read more about other attacks they have carried out on high-profile organizations click the links below.