Curated commentary; timely topics View web version

Low-tech tactics and two types of EDR

LAPSUS$ first emerged in December 2021 and made recent news for hacks on other large companies, including Samsung, Impresa, NVIDIA, Vodafone, and Ubisoft. And a recent revelation now includes Apple Inc. and Meta Platforms Inc., the parent company of Facebook, as LAPSUS$ victims as the companies were also tricked into providing customer data to the hackers. In a detailed blog post, security researcher Brian Krebs outlines how LAPSUS$ is using what he refers to as “low-tech but high-impact methods” to gain access to targeted organizations.

It involves abuse of emergency data requests (EDR). The criminals accomplish this by compromising and obtaining credentials that belong to law enforcement officials. Once they have access to these credentials, they can send unauthorized requests for subscriber data to phone companies, internet service providers, and social media sites under the guise that the that the requested information is urgent and related to a matter of life and death that cannot wait for a court order—therefore bypassing the usual legal review process and prompting an immediate issue of the sensitive data.

“It is now clear that some hackers have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate,” Krebs writes. “Using their illicit access to police email systems, the hackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately.”

Influencers in the industry are also pointing to questions surrounding the other type of EDR: endpoint detection and response. Analysis of the Okta breached reveals that LAPSUS$ infiltrated Okta's network through the compromised laptop of a support engineer working with Sitel, a third-party customer support firm. The access was accomplished through remote desktop protocol (RDP), an increasingly common way for criminals to access systems.

LAPSUS$, according to a tweet from researcher Bill Demirkapi (@BillDemirkapi) “used off-the-shelf tooling from GitHub for the majority of their attacks. After downloading Process Explorer and Process Hacker, LAPSUS$ bypassed the FireEye endpoint agent by simply terminating it.”

Infosec researcher Greg Linares, who goes by the Twitter handle @Laughing_Mantis weighed in with this advice:

“#BlueTeams I am gonna need you to stop what you are doing today and do this one homework assignment for me in light of LAPSUS$. What happens when your EDR on a client gets terminated unexpectedly: - Does it restart? - Do you get alerts. - Do you lock down the system & start IR?” he tweeted. “If someone can terminate your EDR client in its current config and you do not get an alert, it doesn’t attempt to restart automatically, and this doesn’t trigger a lock down or IR response. IT IS MISCONFIGURED.”

Security researcher Joe Helle (@joehelle) also tweeted that the Okta breach is a spotlight on EDR technologies: “LAPSUS$ installed Process Explorer and Process Hacker and terminated FireEye. I hope the decision makers are paying attention to this, and that the shiny EDR you just paid for isn't all you need to secure your environments.”

Teens in trouble

In late March, the City of London Police arrested and released seven alleged LAPSUS$ members between ages 16 and 21. However, the arrests appear not to have slowed their activity, and despite their age, they should not be underestimated, according to sec experts.

“LAPSUS$ is no joke,” tweeted TrustedSec founder Dave Kennedy, who goes by the handle @HackingDave. “Okta, Microsoft, LG and others. Seeing a number of orgs hit and ones that are pretty far along sec maturity wise. They are taking advantage of gaps in detection, EDRs + more. Cloud visibility and understanding baseline behavior is critical. Red alert.”

“It's tempting to dismiss LAPSUS$ as childish and fame-seeking. That may be true. But everyone in charge of security should know that this level of social engineering to steal access is the new norm,” noted security author Brian Krebs (@briankrebs)

Security researcher Jake Williams (@MalwareJake) agrees.

“I've seen some otherwise smart cybersecurity people throwing shade as Lapsus$ like ‘they're just a bunch of disorganized kids.’ Um, okay, but whoever they are, they're pretty darn effective. Like it doesn't really matter who they are if they're beating your security controls.”

Linares says he expects their recent success will likely prompt further growth.

“It would be really interesting to see the latest LAPSUS$ leaks & IOCs. I am strongly guessing other members of the group are stepping up and forming this newer rag tag LAPSUS$ group. Releasing data post bust to show a group is still active is classic recruitment strategy.”

How are we doing? We’d love to hear how you like this newsletter. Email us at idgnewsletters@idg.com

Read more on LAPSUS$:

LAPSUS$ ransomware group claims Okta breach

The ransomware group claims that it has had access to customer records since January 2022; Okta says there is no evidence of ongoing malicious activity. Read More.

 

Extortion group teases 190GB of stolen data as Samsung confirms security breach

LAPSUS$ data extortion group claims to have a huge collection of confidential data stolen from Samsung Electronics, which has confirmed a security breach. Read More.

 

Nvidia hackers release code-signing certificates that malware can abuse

Researchers have already found example of malicious files signed with the stolen certificates. Read More.

 

Why authentication is still the CISO’s biggest headache

Authenticate continues to vex security leaders as businesses become more digitized, agile and dependent on remote employees. Read More.

About the Author
Joan Goodchild is a veteran writer and editor with 20+ years experience. She writes about information security and strategy and is the former editor in chief of CSO. 

Linkedin Facebook Twitter YouTube
Privacy Policy | Manage Your Subscriptions | Unsubscribe
Advertise with us! | More Newsletters | Our Brands
©2022 IDG Communications, Inc.
140 Kendrick Street
Building B
Needham, MA 02494