Using social engineering rather than traditional ransomware tactics, the Lapsus$ group has already hit multiple organizations, says Microsoft.
A relatively new cybercriminal group has quickly gained an infamous reputation for its unique tactics and successful attacks against several major organizations. Known as Lapsus$, the gang uses social engineering to target its victims and has reportedly hit such companies as Samsung, Okta, NVIDIA and Microsoft. In a blog post published Tuesday, Microsoft provides insight into the group’s tactics and techniques and offers tips on how to protect your organization from these attacks.
Lapsus$, also dubbed DEV-0537 by Microsoft, uses an extortion and destruction model of attack without relying on the typical ransomware payloads. To take advantage of potential victims, the group employs several types of social engineering schemes.
Tactics of Lapsus$
As one tactic, Lapsus$ uses phone-based social engineering via SIM-swapping to compromise a victim’s phone. With SIM-swapping, a criminal convinces or even pays off an employee at a mobile carrier to change the victim’s phone number to a SIM card owned by the attacker. Any multi-factor authentication requests are then directed to the criminal’s phone via a call or text, allowing them to take over the victim’s account.
As another tactic, Lapsus$ will compromise someone’s personal or private accounts as a way to gain access to their work-related accounts. An employee will often use their personal accounts or phone number as a method for password recovery or for MFA, opening the door for a criminal to reset a password or take over an account.
In some cases, members of the gang will call an organization’s help desk and try to persuade the support representative to reset the credentials for a privileged account. To appear more convincing, the group uses any information previously gathered about the account and has an English-speaking person talk to the help desk rep.
In yet another tactic, Lapsus$ seeks out employees and business partners willing to provide access to account credentials and MFA details for payment. Microsoft’s blog includes an example of a Lapsus$ advertisement looking for employees at call centers, mobile carriers and large corporations willing to share VPN or Citrix access to a network for money...