What Can We Learn From the Lapsus$ Attacks?
Adversaries are persistent and clever, as demonstrated by recently documented breaches including T-Mobile and the SITEL Group, a provider of customer experience products and solutions. Lapsus$ purchased credentials and used social engineering to recruit insiders and break into high-profile organizations. They moved laterally to access internal systems, source code, and customer data, among other highly-sensitive information. The group exploited insiders in the workforce, software supply chain, and insecure deployments and controls for credentials and access with the goal to steal information and profit by extortion.
Lapsus$ has been making news over the last few months for hacking high-profile organizations to steal sensitive information and extort the organizations. Lapsus$ threatens to leak the stolen data if blackmail payments are not made. This group publicly boasts their efforts and actively recruits insiders to support their illegal activity.
The attacks attributed to Lapsus$ have shone a light on the importance of monitoring user credential activity and creation. The group gains access to victims’ credentials through collusion, social engineering, bribery or phishing attacks, then moves within a network looking for the most sensitive information it can find before deploying data-encrypting malware.
Anatomy of the SITEL attack
While details of the most public hack have not been officially released by SITEL, various information sites have provided a summary of the attack timeline from documents obtained from an independent researcher, including a report of a Mandiant assessment that has reportedly been leaked online.
From TechCrunch we learned that the SITEL attacker used remote access services and public hacking tools to compromise secondary credentials and escalate privileges while on the SITEL network. Reviewing the report we can build the following timeline:
- RDP logon
- Search for privilege escalation tools on GitHub, along with download from GitHub
- New account created
- RDP request/movement
- Search for Process Explorer and Process Hacker, both executed
- FireEye Endpoint Agent service terminated (EDR taken down)
- Search for Mimikatz — Mimikatz downloaded from GitHub and executed
- RDP disconnected
- Office 365 login
- Accessed document “DomAdmins-LastPass.xlsx” (yes, actual filename)
- New account created
- New account added to TenantAdmins group
- Email transport rule to forward to BCC all mail (imagine this?)
Breaking Down the Timeline
On April 7th, the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center issued an advisory warning of possible threats by Lapsus$. They highlighted that “Due to the diversity of their techniques, there is no single set of effective defenses or mitigations.” While the advisory recommends a number of defensive technologies and architecture like multi-factor authentication and zero trust, there are additional steps that security teams can take to help detect adversaries. Using the timeline in the section above as a starting point, we’ll dig into the investigative questions security teams should ask and get answered.
Recap: different IOCs were found to gain access – each evading traditional detection methods
Investigating the timeline — what to ask
IOC #1: Remote desktop protocol used to log on to the system
Identify: How do we monitor for RDP; can we identify unusual RDP access?
- What is the user accessing remotely?
- Does this user and device normally use RDP to access other devices?
- Was RDP initialized at an unusual time?
- Does the RDP client have unusual traits (keyboard layout, resolution, local time)?
IOC #2: New account created
Identify: How do we monitor account creation?
- Who created the new user?
- Where was the new user created and when?
- What resources are authorized for this user?
- Was the user created at an unusual time?
- Was there unusual activity surrounding this new account?
- Are all account creations managed in change control?
- How do you know when it’s an abnormal user?
IOC #3: Internal search for potentially malicious external tools like: privilege escalation, Process Exploration and Process Hacker
Identify: How do we monitor for suspicious internet activity?
- If someone searches for malicious external tools do we get an alert?
- Can we block the installation of malicious tools?
- Can we easily track any activity following suspicious internet activity?
IOC #4: Endpoint Agent service terminated
Identify: When endpoint tool processes are stopped or terminated, how are you alerted?
- If your endpoint tool isn’t running or was stopped, how quickly do we get an alert?
- How do we investigate with a terminated EDR?
- How do we tell if it is broken tech or part of what could be an incident?
IOC #5: Search for Mimikatz — Mimikatz downloaded from GitHub and executed
Identify: Are systems in place to block and alert on known malicious binaries? When those systems fail, how does detection occur and what is the response?
- Do we flag anyone searching for Mimikatz?
- Do we block download and execution of Mimikatz?
- Do we flag searching for suspect tools?
- How do we investigate suspicious searches?
- How do we understand the user’s intent?
- How do we identify if a user is compromised or malicious?
- Who is responsible for deciding if a user is compromised or malicious?
IOC #6: Office 365 Login
Identify: Do we have systems in place to monitor Office 365 logins?
- Was the access time unusual?
- Does the user access O365 in this manner?
- What is the user searching: files; directory access permissions?
- Do we have a baseline of normal behavior for this user? How does this compare?
- What type of login was this: client, web, or mobile?
IOC #7: Accessed document “DomAdmins-LastPass.xlsx”
Identify: Do we flag files with sensitive names?
- Is the user accessing data from unusual network locations?
- When DLP fires an alert on a sensitive file, a file with a password, or a sensitive name, how do you identify if it’s a mistake or part of a more significant problem?
- Can you see activity surrounding this alert: was malware found on the machine earlier that day? Is there suspicious behavior that might indicate this as malicious?
IOC #8: New account added to TenantAdmins group
Identify: How do we protect and monitor our privileged accounts and assets?
- What information do we have about this login? What contextual information can we gather?
- What IP address was used to login to the Admin Account? Have we seen it before?
- What time is this activity occurring? Is that normal for this admin?
- Do we have a system that requires second approval for admin account creation?
- How can we gather context about this activity?
It is important to be prepared and proactive against threats to your organization. Below are some steps you can take to support your defense:
- Assess your security posture — how would your analyst know how and when to ask the questions above — and how long would that take? The 2022 Global Threat Report from CrowdStrike states that attackers average 1 hour 32 minutes to jump from the first compromised system to the second. The speed at which attackers move leaves security teams with a short window to respond.
- Run red-team exercises — Test your security defenses with adversary simulation exercises to streamline your response procedures and processes. This provides an opportunity to mitigate your vulnerabilities and improve your security defenses.
- Evaluate your ability to detect compromised credentials — The 2022 Global Threat Report from CrowdStrike found that 62% of attackers are avoiding writing malware to the endpoint and opting to use legitimate credentials and built-in tools. Nearly 80% of cyberattacks leverage identity-based attacks to compromise legitimate credentials and use techniques like lateral movement to evade detection. It is important that your organization is prepared for credential-based attacks and understand it’s the core to the success of nearly all attacks.
- Improve the security of user credentials and passwords — The 2021 Data Breach Investigation Report from Verizon found that 85% of breaches involve social engineering. It is important to train your employees to be aware of the company’s security policies and to be vigilant, understanding that security is the responsibility of all employees. Simulating phishing attacks to help your employees know what to look for, encouraging good password hygiene, and enforcing two-factor authentication for critical accounts can help you stop threats before they cause irreparable damage to your organization.
- Invest in capabilities that allow you to determine what normal looks like for every user and asset in your organization. These are typically solutions with behavioral analytics capabilities.
Behavioral analytics improves threat detection, investigation, and response
Each of the IOCs listed above were new approaches, essentially zero-day attacks that evaded traditional rule and signatures detection methods. Behavioral analytics helps eliminate this attacker advantage by identifying a number of abnormal circumstances which may be indicative of compromised credentials, including:
- Deviations in a user’s file, database, VPN, or application access, and interaction patterns
- Account creations outside of a change window
- A user authenticating from new or risky geographical locations
- A user accessing websites categorized as “malicious”
- Abnormal user or host executing a network sniffing tool
- Abnormal process activity indicating credential dumping
- 3rd party-alerts indicating compromised assets
- Compromised service accounts or assets
- Credential theft
Behavioral analytics employs machine learning to baseline normal activity for all users and entities in an environment; the system automatically detects deviations compared to that baseline, the baseline of a peer group, and that of the organization as a whole — and assigns that activity a risk score.
Exabeam helps security teams detect compromised credentials with the support of analytics and automation, with automated incident diagnosis from data collection to incident response. Exabeam automatically detects anomalous behaviors that are indicative of a compromised account (or employee), regardless of the attacker’s techniques. Detection models work out of the box and do not require security engineers to create complex correlation rules.
To support their investigations, analysts are provided with automated context in the form of Smart Timelines(™). Smart Timelines provide a snapshot of all of the activity surrounding the high risk user or asset. This snapshot includes a view of all of the systems access and activity that occurred relevant to these users or assets. Smart Timelines are automatically generated when a risk score passes a threshold. These timelines save analysts hours of investigation time, and simplify the process so Tier 1 analysts can perform some of the duties of Tier 2 and 3 analysts. In addition to the investigation efficiency, behavioral analytics eliminates the need for constant correlation rule creation.
Once detected, incident responders can take action against suspicious activity by:
- Contacting a user/manager/HR department via email
- Adding a user to a watchlist
- Rotating account credentials/reset passwords
- Blocking, suspending, or imposing restrictions on users involved in the incident
- Prompting for re-authentication via 2-factor/multi-factor authentication
- Isolating systems — look at methods of creating segmentation for important assets
Understanding a user or entity’s normal behavior can help defenders quickly identify malicious activity.
Learn more about Insider Threats
Log4j by Another Name. It’s Coming; How Can You Keep Pace?
Incident Response: 6 Steps, Technologies, and Tips
Exabeam News Wrap-up – Week of September 19, 2022
Exabeam News Wrap-up – Week of September 12, 2022
Subscribe today and we'll send our latest blog posts right to your inbox, so you can stay ahead of the cybercriminals and defend your organization.
See a world-class SIEM solution in action
Most reported breaches involved lost or stolen credentials. How can you keep pace?
Exabeam delivers SOC teams industry-leading analytics, patented anomaly detection, and Smart Timelines to help teams pinpoint the actions that lead to exploits.
Whether you need a SIEM replacement, a legacy SIEM modernization with XDR, Exabeam offers advanced, modular, and cloud-delivered TDIR.
Get a demo today!