What Can We Learn From the Lapsus$ Attacks?

Adversaries are persistent and clever, as demonstrated by recently documented breaches including T-Mobile and the SITEL Group, a provider of customer experience products and solutions. Lapsus$ purchased credentials and used social engineering to recruit insiders and break into high-profile organizations. They moved laterally to access internal systems, source code, and customer data, among other highly-sensitive information. The group exploited insiders in the workforce, software supply chain, and insecure deployments and controls for credentials and access with the goal to steal information and profit by extortion.

Lapsus$ has been making news over the last few months for hacking high-profile organizations to steal sensitive information and extort the organizations. Lapsus$ threatens to leak the stolen data if blackmail payments are not made. This group publicly boasts their efforts and actively recruits insiders to support their illegal activity.

The attacks attributed to Lapsus$ have shone a light on the importance of monitoring user credential activity and creation. The group gains access to victims’ credentials through collusion, social engineering, bribery or phishing attacks, then moves within a network looking for the most sensitive information it can find before deploying data-encrypting malware.

Anatomy of the SITEL attack

While details of the most public hack have not been officially released by SITEL, various information sites have provided a summary of the attack timeline from documents obtained from an independent researcher, including a report of a Mandiant assessment that has reportedly been leaked online.

From TechCrunch we learned that the SITEL attacker used remote access services and public hacking tools to compromise secondary credentials and escalate privileges while on the  SITEL network. Reviewing the report we can build the following timeline:

1. RDP logon
2. Search for privilege escalation tools on GitHub, along with download from GitHub
3. New account created
4. RDP request/movement
5. Search for Process Explorer and Process Hacker, both executed
6. FireEye Endpoint Agent service terminated (EDR taken down)
7. Search for Mimikatz — Mimikatz downloaded from GitHub and executed 
8. RDP disconnected
9. Office 365 login
10. Accessed document “DomAdmins-LastPass.xlsx” (yes, actual filename)
11. New account created
12. New account added to TenantAdmins group
13. Email transport rule to forward to BCC all mail (imagine this?)

Breaking Down the Timeline

On April 7th, the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center issued an advisory warning of possible threats by Lapsus$. They highlighted that “Due to the diversity of their techniques, there is no single set of effective defenses or mitigations.” While the advisory recommends a number of defensive technologies and architecture like multi-factor authentication and zero trust, there are additional steps that security teams can take to help detect adversaries. Using the timeline in the section above as a starting point, we’ll dig into the investigative questions security teams should ask and get answered.

Recap: different IOCs were found to gain access – each evading traditional detection methods

Investigating the timeline — what to ask

It is important to be prepared and proactive against threats to your organization. Below are some steps you can take to support your defense:

1. Assess your security posture — how would your analyst know how and when to ask the questions above — and how long would that take? The 2022 Global Threat Report from CrowdStrike states that attackers average 1 hour 32 minutes to jump from the first compromised system to the second. The speed at which attackers move leaves security teams with a short window to respond.
2. Run red-team exercises — Test your security defenses with adversary simulation exercises to streamline your response procedures and processes. This provides an opportunity to mitigate your vulnerabilities and improve your security defenses.
3. Evaluate your ability to detect compromised credentials — The 2022 Global Threat Report from CrowdStrike found that 62% of attackers are avoiding writing malware to the endpoint and opting to use legitimate credentials and built-in tools. Nearly 80% of cyberattacks leverage identity-based attacks to compromise legitimate credentials and use techniques like lateral movement to evade detection. It is important that your organization is prepared for credential-based attacks and understand it’s the core to the success of nearly all attacks.
4. Improve the security of user credentials and passwords — The 2021 Data Breach Investigation Report from Verizon found that 85% of breaches involve social engineering. It is important to train your employees to be aware of the company’s security policies and to be vigilant, understanding that security is the responsibility of all employees. Simulating phishing attacks to help your employees know what to look for, encouraging good password hygiene, and enforcing two-factor authentication for critical accounts can help you stop threats before they cause irreparable damage to your organization.
5. Invest in capabilities that allow you to determine what normal looks like for every user and asset in your organization. These are typically solutions with behavioral analytics capabilities.

Behavioral analytics improves threat detection, investigation, and response

Each of the IOCs listed above were new approaches, essentially zero-day attacks that evaded traditional rule and signatures detection methods. Behavioral analytics helps eliminate this attacker advantage by identifying a number of abnormal circumstances which may be indicative of compromised credentials, including:

• Deviations in a user’s file, database, VPN, or application access, and interaction patterns 
• Account creations outside of a change window
• A user authenticating from new or risky geographical locations
• A user accessing websites categorized as “malicious”
• Abnormal user or host executing a network sniffing tool
• Abnormal process activity indicating credential dumping
• 3rd party-alerts indicating compromised assets
• Compromised service accounts or assets
• Credential theft 

Behavioral analytics employs machine learning to baseline normal activity for all users and entities in an environment; the system automatically detects deviations compared to that baseline, the baseline of a peer group, and that of the organization as a whole — and assigns that activity a risk score. 

Exabeam helps security teams detect compromised credentials with the support of analytics and automation, with automated incident diagnosis from data collection to incident response. Exabeam automatically detects anomalous behaviors that are indicative of a compromised account (or employee), regardless of the attacker’s techniques. Detection models work out of the box and do not require security engineers to create complex correlation rules.

To support their investigations, analysts are provided with automated context in the form of Smart Timelines(™). Smart Timelines provide a snapshot of all of the activity surrounding the high risk user or asset. This snapshot includes a view of all of the systems access and activity that occurred relevant to these users or assets. Smart Timelines are automatically generated when a risk score passes a threshold. These timelines save analysts hours of investigation time, and simplify the process so Tier 1 analysts can perform some of the duties of Tier 2 and 3 analysts. In addition to the investigation efficiency, behavioral analytics eliminates the need for constant correlation rule creation.

Response: 

Once detected, incident responders can take action against suspicious activity by:

• Contacting a user/manager/HR department via email
• Adding a user to a watchlist
• Rotating account credentials/reset passwords
• Blocking, suspending, or imposing restrictions on users involved in the incident
• Prompting for re-authentication via 2-factor/multi-factor authentication
• Isolating systems — look at methods of creating segmentation for important assets

Understanding a user or entity’s normal behavior can help defenders quickly identify malicious activity.