Even as someone who is somewhat tech savvy I automatically think of hacking as an exercise in overcoming the technical security boundaries of an infrastructure. Groups like LAPSUS$ appear to have a much more human and social approach, as in, “let’s bribe and beguile our way into critical systems”. Microsoft detailed this groups approach, and here are some details (emphasis mine):
The activity we have observed has been attributed to a threat group that Microsoft tracks as DEV-0537, also known as LAPSUS$. DEV-0537 is known for using a pure extortion and destruction model without deploying ransomware payloads. DEV-0537 started targeting organizations in the United Kingdom and South America but expanded to global targets, including organizations in government, technology, telecom, media, retail, and healthcare sectors. DEV-0537 is also known to take over individual user accounts at cryptocurrency exchanges to drain cryptocurrency holdings.
Some of the specific techniques are as follows:
DEV-0537 uses a variety of methods that are typically focused on compromising user identities to gain initial access to an organization including:
- Deploying the malicious Redline password stealer to obtain passwords and session tokens
- Purchasing credentials and session tokens from criminal underground forums
- Paying employees at targeted organizations (or suppliers/business partners) for access to credentials and MFA approval
- Searching public code repositories for exposed credentials
They then follow up by attempting to join the triage calls they created:
DEV-0537 is known to monitor and intrude in incident response communications. As such, these communication channels should be closely monitored for unauthorized attendees and verification of attendees should be performed visually or audibly.
I am constantly amazed that of all the ways for our complex systems to be compromised, that we operators and developers have become our own weakest link.