https://krebsonsecurity.com/2022/04/the-original-apt-advanced-persistent-teenagers/ Advertisement [9] Advertisement [7] Krebs on Security Skip to content * Home * About the Author * Advertising/Speaking The Original APT: Advanced Persistent Teenagers April 6, 2022 7 Comments Many organizations are already struggling to combat cybersecurity threats from ransomware purveyors and state-sponsored hacking groups, both of which tend to take days or weeks to pivot from an opportunistic malware infection to a full blown data breach. But few organizations have a playbook for responding to the kinds of virtual "smash and grab" attacks we've seen recently from LAPSUS$, a juvenile data extortion group whose short-lived, low-tech and remarkably effective tactics have put some of the world's biggest corporations on edge. [apt] Since surfacing in late 2021, LAPSUS$ has gained access to the networks or contractors for some of the world's largest technology companies, including Microsoft, NVIDIA, Okta and Samsung. LAPSUS$ typically threatens to release sensitive data unless paid a ransom, but with most victims the hackers ended up publishing any information they stole (mainly computer source code). Microsoft blogged about its attack at the hands of LAPSUS$, and about the group targeting its customers. It found LAPSUS$ used a variety of old-fashioned techniques that seldom show up in any corporate breach post-mortems, such as: -targeting employees at their personal email addresses and phone numbers; -offering to pay $20,000 a week to employees who give up remote access credentials; -social engineering help desk and customer support employees at targeted companies; -bribing/tricking employees at mobile phone stores to hijack a target's phone number; -intruding on their victims' crisis communications calls post-breach. If these tactics sound like something you might sooner expect from spooky, state-sponsored "Advanced Persistent Threat" or APT groups, consider that the core LAPSUS$ members are thought to range in age from 15 to 21. Also, LAPSUS$ operates on a shoestring budget and is anything but stealthy: According to Microsoft, LAPSUS$ doesn't seem to cover its tracks or hide its activity. In fact, the group often announces its hacks on social media. ADVANCED PERSISTENT TEENAGERS [persistence] This unusual combination makes LAPSUS$ something of an aberration that is probably more aptly referred to as "Advanced Persistent Teenagers," said one CXO at a large organization that recently had a run-in with LAPSUS$. "There is a lot of speculation about how good they are, tactics et cetera, but I think it's more than that," said the CXO, who spoke about the incident on condition of anonymity. "They put together an approach that industry thought suboptimal and unlikely. So it's their golden hour." LAPSUS$ seems to have conjured some worst-case scenarios in the minds of many security experts, who worry what will happen when more organized cybercriminal groups start adopting these techniques. "LAPSUS$ has shown that with only $25,000, a group of teenagers could get into organizations with mature cybersecurity practices," said Amit Yoran, CEO of security firm Tenable and a former federal cybersecurity czar, testifying last week before the House Homeland Security Committee. "With much deeper pockets, focus, and mission, targeting critical infrastructure. That should be a sobering, if not terrifying, call to action." My CXO source said LAPSUS$ succeeds because they simply refuse to give up, and just keep trying until someone lets them in. "They would just keep jamming a few individuals to get [remote] access, read some onboarding documents, enroll a new 2FA [two-factor authentication method] and exfiltrate code or secrets, like a smash-and-grab," the CXO said. "These guys were not leet, just damn persistent." HOW DID WE GET HERE? The smash-and-grab attacks by LAPSUS$ obscure some of the group's less public activities, which according to Microsoft include targeting individual user accounts at cryptocurrency exchanges to drain crypto holdings. In some ways, the attacks from LAPSUS$ recall the July 2020 intrusion at Twitter, wherein the accounts for Apple, Bill Gates, Jeff Bezos, Kanye West, Uber and others were made to tweet messages inviting the world to participate in a cryptocurrency scam that promised to double any amount sent to specific wallets. The flash scam netted the perpetrators more than $100,000 in the ensuing hours. [bezostweet] The group of teenagers who hacked Twitter hailed from a community that traded in hacked social media accounts. This community places a special premium on accounts with short "OG" usernames, and some of its most successful and notorious members were known to use all of the methods Microsoft attributed to LAPSUS$ in the service of hijacking prized OG accounts. The Twitter hackers largely pulled it off by brute force, writes Wired on the July 15, 2020 hack. "Someone was trying to phish employee credentials, and they were good at it," Wired reported. "They were calling up consumer service and tech support personnel, instructing them to reset their passwords. Many employees passed the messages onto the security team and went back to business. But a few gullible ones--maybe four, maybe six, maybe eight--were more accommodating. They went to a dummy site controlled by the hackers and entered their credentials in a way that served up their usernames and passwords as well as multifactor authentication codes." Twitter revealed that a key tactic of the group was "phone spear phishing" (a.k.a. "voice phishing" a.k.a. "vishing"). This involved calling up Twitter staffers using false identities, and tricking them into giving up credentials for an internal company tool that let the hackers reset passwords and multi-factor authentication setups for targeted users. In August 2020, KrebsOnSecurity warned that crooks were using voice phishing to target new hires at major companies, impersonating IT employees and asking them to update their VPN client or log in at a phishing website that mimicked their employer's VPN login page. Two days after that story ran, the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) issued their own warning on vishing, saying the attackers typically compiled dossiers on employees at specific companies by mass-scraping public profiles on social media platforms, recruiter and marketing tools, publicly available background check services, and open-source research. The joint FBI/CISA alert continued: "Actors first began using unattributed Voice over Internet Protocol (VoIP) numbers to call targeted employees on their personal cellphones, and later began incorporating spoofed numbers of other offices and employees in the victim company. The actors used social engineering techniques and, in some cases, posed as members of the victim company's IT help desk, using their knowledge of the employee's personally identifiable information--including name, position, duration at company, and home address--to gain the trust of the targeted employee." "The actors then convinced the targeted employee that a new VPN link would be sent and required their login, including any 2FA [2-factor authentication] or OTP [one-time passwords]. The actor logged the information provided by the employee and used it in real-time to gain access to corporate tools using the employee's account." Like LAPSUS$, these vishers just kept up their social engineering attacks until they succeeded. As KrebsOnSecurity wrote about the vishers back in 2020: "It matters little to the attackers if the first few social engineering attempts fail. Most targeted employees are working from home or can be reached on a mobile device. If at first the attackers don't succeed, they simply try again with a different employee." "And with each passing attempt, the phishers can glean important details from employees about the target's operations, such as company-specific lingo used to describe its various online assets, or its corporate hierarchy." "Thus, each unsuccessful attempt actually teaches the fraudsters how to refine their social engineering approach with the next mark within the targeted organization." SMASH & GRAB The primary danger with smash-and-grab groups like LAPSUS$ is not just their persistence but their ability to extract the maximum amount of sensitive information from their victims using compromised user accounts that typically have a short lifespan. After all, in many attacks, the stolen credentials are useful only so long as the impersonated employee isn't also trying to use them. This dynamic puts tremendous pressure on cyber incident response teams, which suddenly are faced with insiders who are trying frantically to steal everything of perceived value within a short window of time. On top of that, LAPSUS$ has a habit of posting screenshots on social media touting its access to internal corporate tools. These images and claims quickly go viral and create a public relations nightmare for the victim organization. Single sign-on provider Okta experienced this firsthand last month, when LAPSUS$ posted screenshots that appeared to show Okta's Slack channels and another with a Cloudflare interface. Cloudflare responded by resetting its employees' Okta credentials. Okta quickly came under fire for posting only a brief statement that said the screenshots LAPSUS$ shared were connected to a January 2022 incident involving the compromise of "a third-party customer support engineer working for one of our subprocessors," and that "the matter was investigated and contained by the subprocessor." This assurance apparently did not sit well with many Okta customers, especially after LAPSUS$ began posting statements that disputed some of Okta's claims. On March 25, Okta issued an apology for its handling of the January breach at a third-party support provider, which ultimately affected hundreds of its customers. My CXO source said the lesson from LAPSUS$ is that even short-lived intrusions can have a long-term negative impact on victim organizations -- especially when victims are not immediately forthcoming about the details of a security incident that affects customers. "It does force us to think about insider access differently," the CXO told KrebsOnSecurity. "Nation states have typically wanted longer, more strategic access; ransomware groups want large lateral movement. LAPSUS$ doesn't care, it's more about, 'What can these 2-3 accounts get me in the next 6 hours?' We haven't optimized to defend that." Any organizations wondering what they can do to harden their systems against attacks from groups like LAPSUS$ should consult Microsoft's recent blog post on the group's activities, tactics and tools. Microsoft's guidance includes recommendations that can help prevent account takeovers or at least mitigate the impact from stolen employee credentials. This entry was posted on Wednesday 6th of April 2022 01:55 PM A Little Sunshine Ne'er-Do-Well News The Coming Storm Advanced Persistent Teenagers Amit Yoran APT CISA fbi LAPSUS$ microsoft NVIDIA Okta Samsung Tenable Twitter hack vishing voice phishing wired Post navigation - Fake Emergency Search Warrants Draw Scrutiny from Capitol Hill 7 thoughts on "The Original APT: Advanced Persistent Teenagers" 1. mealy April 6, 2022 2-3 compromised credentials that can get to crown jewels in 6-24 hours is game over. How much resource compartmentalization does a "mature cybersecurity practice" entail? Central-vpn traffic monitoring for realtime credential detection? De-automated TFA + sanity? When ring-X keyholding insiders are so easily fooled or able to be bought out without supervision, the supervision required has to be draconian = and users will absolutely complain. Meanwhile the overhead required to segment and authenticate all access properly is not "business friendly." It requires practices and dedicated heads that (most?) many organizations have little interest in, as it's all cost and hassle and complaints with an intangible upside. Until it happens. And it's bad when source gets p-b'ed but 10x magnified when mumbling coverup is attempted. If they aren't going to dig proper moats they need to at least come clean about dragon activity, people are going to find out regardless. It's just compounding a reputational failure over again. You can't rebuild any confidence in your practices if you're minimizing and omitting key details. The ones who successfully rebound confidence go the other way. Tell the truth objective 1. Reply - 1. Jon Marcus April 7, 2022 Mostly agree. The one thing I'd point out is that this doesn't appear to have targeted or gotten "crown jewels". More like a smash and grab, scooping up whatever's around. For instance, at Microsoft they grabbed some random source code. That stuff is proprietary, it's not something MS wants just anyone to have. But speaking as a developer, if you try to put "draconian supervision" around the source code to our libraries, I'm not going to be able to do my job. Here's an example: Let's say you limit me to accessing relevant chunks of my department's code, and I have to get explicit supervisor approval to access other departments' code. Great, secure. Now I want to eliminate a problematic, deprecated method in my library. I want to make sure the method's not still in use. Can I just grep across our company codebase for the method? Or do I need to approach each departmental supervisor, and get explicit personal approval to access their department's code? And before you say, "Yeah, suck it up. Take the extra time," what if the method I want to eliminate has been found to be insecure? How much extra time should I take before I improve security enterprise-wide? Reply - 2. Michael April 7, 2022 This "hack" just shows again in BOLD that cyber attacks are most often not advanced attacks, they are more than likely a cheap trick like this, I don't even like to use the term "social engineering" as it makes the attack seem like something achieved through a lot of "effort" - even if that effort is criminal! Unfortunately without sufficient training for our staff we will continue to be 'breached' using nothing more than a bit of persistence and time, the only positive from this is with our short attention spans in the Facebook era, attackers will give up easily. Reply - 3. Tony B April 7, 2022 Heres evidence you can bribe your way into companies for $20k and people really think politicians aren't taking bribes lol Reply - 4. RICHARD April 7, 2022 There's only APT upside potential until businesses are incentivized to strengthen cyberhygiene practice. Consumers are forced by terms of service to indemnify businesses for purchase and use of product, or any non-neglience related outcome from use. This means the business (and employees) are effectively faultless for breach and ransom incidents. Cyberinsurance premiums are a business expense passed onto the consumer via sales. Restrict indemnification use in terms of service, and boards of directors and CxOs will take note. They would be compelled to embrace CISA standards and possbly comply with NIST SP 800-53 control families for risk management. Personally, I doubt any measures, no matter there sincerity or effectiveness, will occur until corporate money and lobbyists are stomped. The current situation of breach and ransom-at-will won't cease or subside until a few perp walks occur for business negligence and the Caesar salad lunch crowd are personally liable for under-investing in cyber training and infrastructure defenses to deter scriptkiddies. Reply - 5. Catwhisperer April 7, 2022 The example here of LAPSUS$ just shows how unready we are. People forget that a rudimentary bow made of wood kills the same as a Glock. There are some great asymmetric capabilities to pay attention to here. And as usual, the wetware is the weakest link, and because of that mission persistence paid for in the end for the attackers. It appears that by focusing on higher end attack capabilities, seasoned cybersecurity teams were overcome with were basically low tech guerilla warfare tactics. I'd recommend we all revisit Sun Tzu's Art of War, again... Reply - 6. Paulina April 7, 2022 One thing no one in the industry is talking about (not even Brian himself) is how poorly we treat employees. This leads to them accepting such bribes. Company cultures are no longer about commitment and ownership of the objectives, they are just about "how much money can I get" or "what are benefit packages". Even on the C-suite level! Most companies in the realm of IT/Cyber push for more revenue not to advance themselves, their goals, and their employees; but to get acquired by a big corporation! Just look at FireEye-turned-Mandiant-bought-by-Google. This is a big flaw! I am not saying that revenue should not be a focus, but commitment to a company for long-term employment should be somewhere on the priority list. Sustainability is key. I thing we done away with that culture a long time ago, when companies stopped offering pensions. It suddenly didn't make sense to commit to anything. And that's why there is a huge turnover in IT, and people are quickly bought with offers of $20k/week. Reply - Leave a Reply Cancel reply Your email address will not be published. Required fields are marked * [ ] [ ] [ ] [ ] [ ] [ ] [ ] Comment * [ ] Name * [ ] Email * [ ] Website [ ] [Post Comment] [ ] [ ] [ ] [ ] [ ] [ ] [ ] D[ ] Advertisement [18] Advertisement Mailing List Subscribe here Search KrebsOnSecurity Search for: [ ] [Search] Recent Posts * The Original APT: Advanced Persistent Teenagers * Fake Emergency Search Warrants Draw Scrutiny from Capitol Hill * Hackers Gaining Power of Subpoena Via Fake "Emergency Data Requests" * Estonian Tied to 13 Ransomware Attacks Gets 66 Months in Prison * A Closer Look at the LAPSUS$ Data Extortion Group Spam Nation Spam Nation A New York Times Bestseller! Thinking of a Cybersecurity Career? Thinking of a Cybersecurity Career? Read this. All About Skimmers All About Skimmers Click image for my skimmer series. Story Categories * A Little Sunshine * All About Skimmers * Ashley Madison breach * Breadcrumbs * Data Breaches * DDoS-for-Hire * Employment Fraud * How to Break Into Security * Latest Warnings * Ne'er-Do-Well News * Other * Pharma Wars * Ransomware * Russia's War on Ukraine * Security Tools * SIM Swapping * Spam Nation * Target: Small Businesses * Tax Refund Fraud * The Coming Storm * Time to Patch * Web Fraud 2.0 The Value of a Hacked PC valuehackedpc Badguy uses for your PC Badguy Uses for Your Email Badguy Uses for Your Email Your email account may be worth far more than you imagine. Donate to Krebs On Security Most Popular Posts * Sextortion Scam Uses Recipient's Hacked Passwords (1076) * Online Cheating Site AshleyMadison Hacked (798) * Sources: Target Investigating Data Breach (620) * Trump Fires Security Chief Christopher Krebs (534) * Cards Stolen in Target Breach Flood Underground Markets (445) * Reports: Liberty Reserve Founder Arrested, Site Shuttered (416) * Was the Ashley Madison Database Leaked? (376) * DDoS-Guard To Forfeit Internet Space Occupied by Parler (374) * True Goodbye: 'Using TrueCrypt Is Not Secure' (363) * Who Hacked Ashley Madison? (361) Why So Many Top Hackers Hail from Russia [computered-580x389] Category: Web Fraud 2.0 Criminnovations Innovations from the Underground [shreddedID-copy-285x189] ID Protection Services Examined Is Antivirus Dead? Is Antivirus Dead? The reasons for its decline The Growing Tax Fraud Menace The Growing Tax Fraud Menace File 'em Before the Bad Guys Can Inside a Carding Shop Inside a Carding Shop A crash course in carding. Beware Social Security Fraud Beware Social Security Fraud Sign up, or Be Signed Up! How Was Your Card Stolen? How Was Your Card Stolen? Finding out is not so easy. Krebs's 3 Rules... Krebs's 3 Rules... ...For Online Safety. (c) Krebs on Security