The Russian hacking group Turla released an Android app that seems to aid Ukrainian hackers in their attacks against Russian networks. It’s actually malware, and provides information back to the Russians:

The hackers pretended to be a “community of free people around the world who are fighting russia’s aggression”—much like the IT Army. But the app they developed was actually malware. The hackers called it CyberAzov, in reference to the Azov Regiment or Battalion, a far-right group that has become part of Ukraine’s national guard. To add more credibility to the ruse they hosted the app on a domain “spoofing” the Azov Regiment: cyberazov[.]com.

[…]

The app actually didn’t DDoS anything, but was designed to map out and figure out who would want to use such an app to attack Russian websites, according to Huntely.

[…]

Google said the fake app wasn’t hosted on the Play Store, and that the number of installs “was miniscule.”

Details from Google’s Threat Analysis Group here.

Read More

First discovered in 2007, the Gozi virus was able to go undetected as it stole bank account information from computers

Read More

Threat integration of a shared IoC is difficult when the responsibility is distributed out to organizations to create defensive actions.

Read More

An app which purported to launch distributed denial-of-service (DDoS) attacks against the internet infrastructure of Russia, was in reality secretly installing malware on to the devices of pro-Ukrainian activists.

Read more in my article on the Hot for Security blog.

Read More

Hardening an OS in the cloud can be a tedious process without hardened virtual images. Learn how CIS’s Hardened Images can help with cloud security. […]

Read More

The group Cloaked Ursula is increasingly using popular online storage services because it makes attacks difficult to detect and prevent

Read More

Perception Point has announced the launch of a new managed security service designed to eliminate web browser threats to organizations. According to the firm, Perception Point Advanced Browser Security adds managed, enterprise-grade security to native Chrome and Edge browsers allowing users to browse the web or access SaaS applications without exposing enterprise data to risk. The release is reflective of a growing trend of security products coming to market to provide advanced security for native browsers.

Advanced Browser Security designed to isolate, detect and remediate web threats

In a press release, Perception Point said the new solution fuses patented browser security technology powered by web isolation platform Hysolate, which it acquired earlier this year, and its own multi-layer detection engines. This combination delivers the ability to isolate, detect and remediate threats from the web, including phishing, ransomware, malware and APTs. Advanced Browser Security also secures access to sensitive corporate apps via an isolated, trusted Chrome or Edge browser, the firm added.

To read this article in full, please click here

Read More

Having gained the industry’s attention in the first months of 2022, the LAPSUS$ extortion group has largely gone quiet. What can we learn from this extortion group’s story and tactics?

In early 2022, the LAPSUS$ group broke onto the scene with flashy and disruptive attacks. While occasionally lumped in with ransomware groups, LAPSUS$ is an extortion group. What differentiates it from established, professional ransomware groups and what lessons can organizations learn from its tactics to improve their defenses?

The LAPSUS$ group made a considerable splash at the beginning of 2022, but has fallen to ripples among the bigger waves caused by more established groups like Conti. LAPSUS$’s brief tenure as a leader of cybersecurity news cycles was marred by idiosyncrasies and apparent mistakes.

Source: Tenable Research, July 2022

Ransomware or extortion?

I noted that LAPSUS$ is an extortion, not ransomware, group. For these purposes, I am being intentionally specific with the definition of ransomware. While some cases of extortion involve stealing data and “ransoming” it back to organizations, ransomware specifically refers to incidents when data-encrypting malware (ransomware) is deployed and access to those systems is ransomed back to target organizations.

Over the years, ransomware groups have adopted diverse extortion tactics. To learn about those tactics and other key features of the ransomware ecosystem, read Tenable’s report. Extortion groups like LAPSUS$ focus on opportunistic data theft and threats to publicly release the stolen data. Occasionally, these groups will also delete the original data.

With that distinction established, let’s examine one of the recent prominent names in extortion: the LAPSUS$ group.

Who is the LAPSUS$ group?

While there are other groups that perform extortion-only attacks, the LAPSUS$ group broke onto the scene in a big way at the end of 2021 and brought this type of threat group to the forefront.

LAPSUS$’s official career began in December 2021 with attacks against companies in South America and continued into January with targets in South America and Portugal, likely related to the location of some group members. (While the initial breach of Sitel and subsequent compromise of Okta occurred at the end of January, it wasn’t publicized for another two months.) In the following months, LAPSUS$ expanded its targets to multinational technology companies. This brought the group to the attention of the cybersecurity community at large.

The LAPSUS$ group solely operates through a private Telegram group and doesn’t manage a dark web leak site like other threat groups, limiting the data available for analysis. Nonetheless, many security analysts, researchers and reporters have examined the information available and developed insights into the group’s characteristics and tactics.

Common themes among these analyses include:

Lower maturity tactics and behaviors
Priority for clout and notoriety
Primarily focused on monetary goals

The theorized goals of money and fame are supported by the group’s transition from targeting companies in South America to companies with much larger areas of influence, “large scale international technology companies,” as Flashpoint research puts it. Targeting these companies theoretically could earn cybercriminals higher payouts, and it absolutely earned the group notoriety.

As many analysts have pointed out, it is difficult to attribute a singular, monolithic goal — or even confidently discount goals — to such a “loose collective.” LAPSUS$ has vehemently asserted that it is not politically motivated or state sponsored and its actions appear consistent with this assertion.

If ransomware groups like Conti are well-organized operations reminiscent of criminal enterprises depicted in TV shows and films such as Boardwalk Empire or the Godfather — complete with customer service and human resources — LAPSUS$ comes off more like the teams in Point Break or Bottle Rocket. Many analysts have referred to its behavior as immature and impulsive, comparing it to the stereotypical “teenager in the basement,” the script kiddies.

While it’s hard to identify individual members of any cybercrime group, researchers and law enforcement have traced LAPSUS$ operations to a few teenagers in Brazil and the U.K. These identifications, subsequent arrests and apparent silence from the group, seem to align with analysis stating the group is made of “talented but inexperienced” actors who are “reckless and disruptive.” These traits are based on the observed tactics and behaviors of the group, so let’s examine those in some detail.

How does LAPSUS$ operate?

The LAPSUS$ group, maybe short lived given the latest developments, still showed a trajectory of maturity. This trajectory has not been linear, which further supports the loose collective nature of the group. Over time, the LAPSUS$ group has made opportunistic shifts in tactics and priorities for its attacks — moving from traditional customer and client data theft to theft of proprietary information and source code.

In terms of tactics, early attacks featured distributed denial of service (DDoS) and website vandalism. But, as early as January 21, the LAPSUS$ group was already engaged in the multi-stage breach that eventually led to the incident at Okta. Throughout that maturation process, the LAPSUS$ group heavily relied on tried-and-true tactics like purchasing credential dumps, social engineering help desks and spamming multifactor authentication (MFA) prompts to achieve initial access to target organizations.

According to reports from Microsoft and the NCC Group, the former from its own breach by the group, these are some key tactics, techniques and procedures of the LAPSUS$ group:

Initial access via purchased or publicly available credential repositories, password stealers and paying employees for access
Circumventing MFA through spamming prompts or contacting help desk
Accessing internet-facing applications like virtual private networks, Microsoft SharePoint, virtual desktops etc. to collect further credentials and access sensitive information
Elevating privileges by exploiting unpatched vulnerabilities in Jira, GitLab, and Confluence and enumerating users with Active Directory Explorer
Exfiltrating data via NordVPN or free file drop services and then deleting resources
Using access to the target’s cloud environments to build attack infrastructure and remove all other global administrators

As I’ve noted above, the LAPSUS$ group differs from other threat groups in the extortion and ransomware spaces in a key way: it does not operate a leak website. The group solely uses its Telegram channel to announce victims, often soliciting input from the broader community on which organization’s data to release next. Compared with the polished, standardized sites of ransomware groups (like AvosLocker, LockBit 2.0, Conti etc.), these practices come off as disorganized and immature.

AvosLocker leak website, Image Source: Tenable, May 2022

On the surface, the move to stealing source code and proprietary information could be seen as a strategy to motivate and elicit higher extortion payments, but the LAPSUS$ group has also used these thefts in strange ways. With the Nvidia data, LAPSUS$ also leaked a code-signing certificate that allowed malware authors to freely use this certificate to smuggle their wares into target environments as legitimately signed programs from Nvidia. LAPSUS$ was able to pilfer valuable information from Nvidia, but wasn’t interested in or capable of capitalizing on it for its own benefit. The group didn’t appear to have a strong sense of what data had value. The data stolen from Microsoft “does not lead to elevation of risk” and Samsung did not “anticipate any impact to [its] business or customers.”

In fact, LAPSUS$ didn’t always effectively communicate extortion demands to victims, occasionally disagreed publicly on how to leak data and made “unreasonable and illogical” demands. With Nvidia, LAPSUS$ demanded functional changes to Nvidia chips that could not reasonably be accomplished. It seems this demand was a longer-term monetary strategy to increase capacity to mine cryptocurrency, albeit an ill-conceived one.

What has LAPSUS$ accomplished?

Even though earlier attacks by the LAPSUS$ group didn’t gain the level of attention its later attacks received, some were quite disruptive and quickly placed the group on defenders’ radar screens, particularly in the regions hardest hit by those early attacks. The group managed to disrupt several telecommunications and media companies in Latin America and Europe, as well as Brazil’s Ministry of Health.

It wasn’t until the attack against Nvidia, in late February, that LAPSUS$ really broke into the broader limelight. With this breach, LAPSUS$ stepped out onto the global stage and started a brief tear through major technology companies, doing so with perhaps more flair than function.

Even though the breaches at Samsung, Microsoft and Okta did not have the technical impact we all fear from an incident at companies of that caliber, the disruption was still considerable. The incident at Okta in particular threw the cybersecurity industry into a furor while it was being investigated and disclosed. While these major incidents were occurring, the group continued targeting smaller organizations in Latin America and Europe.

Characterized by erratic behavior and outlandish demands that cannot be met — at one point, the group even accused a target of hacking back — the LAPSUS$ group’s tenure at the forefront of the cybersecurity newscycle was chaotic. It’s hard to say how much money the LAPSUS$ group has earned from its enterprise, but it cannot be denied that the group gained notoriety, for better or worse. Three months since the peak of LAPSUS$ attacks and the arrests, the group remains largely inactive.

How organizations should respond

The LAPSUS$ group’s primary tactics are focused on social engineering and recruiting insiders. In its report on the group’s activities, NCC Group has provided indicators of compromise for LAPSUS$ attacks. Organizations should adopt the following guidance to defend against attacks from LAPSUS$ and other extortion groups.

Reevaluate help desk policies and social engineering awareness
Strengthen MFA: avoid SMS-based MFA; ensure strong password use; leverage passwordless authentication
Use robust authentication options for internet-facing applications like OAuth and security assertion markup language
Find and patch known-exploited vulnerabilities that could allow attackers to move laterally in your systems, elevate privileges and exfiltrate sensitive data
Bolster cloud security posture: improve risk detections, strengthen access configurations

In its analysis of the incident targeting its own systems, Okta points to its adoption of zero trust as a key defense mechanism. The additional authentication steps required to access sensitive applications and data prevented the LAPSUS$ group from achieving access that could have had catastrophic impact on Okta and its customers.

Extortion groups like LAPSUS$ don’t target Active Directory with the same motivations as traditional ransomware groups, but still seek to compromise AD targets for the sake of pivoting their access to higher-privileged users. Proper AD configuration and monitoring are as critical for stopping extortion as they are for stopping ransomware. Additionally, these extortion groups are very likely to target cloud environments. The LAPSUS$ group has been observed targeting cloud infrastructure, deleting resources and locking out legitimate users.

Like their ransomware counterparts, these extortion groups still rely on legacy vulnerabilities that organizations have left unpatched. At the RSA Conference in June 2022, NSA Cybersecurity Director Rob Joyce said that addressing these known exploited vulnerabilities “needs to be the base” of cybersecurity efforts. Tenable customers can use our Ransomware Ecosystem scan template, dashboards (Tenable.io, Tenable.sc) and reports to assess their environments for vulnerabilities known to be targeted by ransomware groups, many of which are also exploited by extortion groups.

The future of extortion groups

LAPSUS$ is not the only name in extortion. In the wake of Conti shutting down, some of its affiliates have been observed engaging in similar attacks. U.S. government agencies have also warned of another extortion group, Karakurt, which moved from merely operating a leak website for other’s data to engaging in data theft and extortion operations on its own behalf.

As the LAPSUS$ group’s activities were waning, the RansomHouse group has been rising in prominence. Like LAPSUS$, it has been categorized by some as a ransomware group, but it does not encrypt data on target networks. Many of its tactics are similar to that of the LAPSUS$ group’s; RansomHouse even advertised its activities on the LAPSUS$ Telegram channel.

Just like ransomware, extortion attacks aren’t going anywhere until they are made too complicated or costly to conduct. Organizations should evaluate what defenses they have in place against the tactics used, how they can be hardened and whether their response playbooks effectively account for these incidents. While it may feel easy to downplay the threat groups like LAPSUS$ because of their brazen, unsophisticated and illogical tactics, their disruption of major international technology companies reminds us that even unsophisticated tactics can have serious impact.

Get more information 

Report: A Look Inside The Ransomware Ecosystem
ContiLeaks: Chats Reveal Over 30 Vulnerabilities Used by Conti Ransomware – How Tenable Can Help

Read More

This blog was written by an independent guest blogger.

Software-as-a-service (SaaS) is becoming the dominant way enterprises access digital tools. While this delivery method has many advantages, from scalability to consistent security updates, it can create significant vulnerabilities if developers and users aren’t careful.

Organizations today use more than 100 SaaS apps on average, and that figure keeps climbing. As these tools play an increasingly central role in how businesses operate, IT professionals on both sides must consider SaaS data security more carefully.

SaaS data security impacts both providers and clients

SaaS data security is so crucial because any vulnerabilities can affect multiple parties. If a breach occurs in a SaaS provider’s database, it could expose their commercial clients’ data. The infamous SolarWinds hack, which affected thousands of Orion users, highlights how one SaaS vulnerability can give attackers access to multiple organizations.

When an event like this occurs, attackers could directly affect software users by stealing their data or installing malware on their devices. These steps, in turn, could affect their customers if they use the software to manage consumers’ data. All these ripple effects would come back to the SaaS provider in the form of lost trust and legal repercussions.

Every party connected to SaaS can suffer considerable damage if a breach occurs. Consequently, all parties should take it seriously and the responsibility for improving security falls to both providers and users.

Best practices for SaaS providers

SaaS security begins with the companies that develop and sell the software. One of the most important steps for SaaS providers is to embrace the principle of least privilege. The only people, apps, and systems that should be able to access any data are those that absolutely need it. This will restrict lateral movement and make it easier to trace any potential breaches.

Monitoring user activity is another important step. Logging all activity will reveal abnormalities that may signal an attempted attack, enabling faster responses. Automation is crucial here, as companies with fully deployed security automation identify breaches 55 days earlier and lose $1.49 million less than those without it on average.

Encrypting all data both at rest and in transit will help further mitigate potential breaches. SaaS companies should also partner with reliable security vendors to offer users as much protection as possible.

Similarly, SaaS providers can seek relevant security certifications. Certifications like the AICPA SOC 2 Type 2 offer assurance to customers that the company has met high standards for data security. This will both provide guidelines for reliable cybersecurity and attract more business.

Best practices for SaaS users

SaaS users can also take data security into their own hands. Since misconfiguration is the most common cloud vulnerability, the most important step is to address configuration gaps. IT teams must approach configuration carefully and frequently review SaaS permissions and processes to find and fix errors.

Businesses should also look for trusted SaaS vendors. Just as SaaS providers should pursue security certifications, users should prefer to use software from companies that have these certifications. Reviewing providers’ data breach history and security policies can also help find the most secure choice.

Credential management is another key area to address. Weak or stolen passwords account for 81% of hacking-related breaches, so employees must use strong passwords and enable multi-factor authentication (MFA). Following the principle of least privilege will further reduce risks related to breached credentials.

SaaS users and providers alike should use reliable, up-to-date anti-malware software and train all employees in cybersecurity best practices. Both should also stay informed about emerging threats to adapt to rising cybercrime trends as necessary.

Data security is crucial for SaaS

SaaS is helpful, but it can also increase data vulnerabilities if companies don’t approach it with care. As these tools become more popular, both vendors and customers must understand their unique security needs and follow these best practices. If all sides can embrace these necessary steps, SaaS can reach its full potential without endangering sensitive data.

Read More