G1004 LAPSUS$
LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.123
| Item | Value |
|---|---|
| ID | G1004 |
| Associated Names | DEV-0537 |
| Version | 1.1 |
| Created | 09 June 2022 |
| Last Modified | 11 April 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Group Descriptions
| Name | Description |
|---|---|
| DEV-0537 | 2 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1531 | Account Access Removal | LAPSUS$ has removed a targeted organization’s global admin accounts to lock the organization out of all access.2 |
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.002 | Domain Account | LAPSUS$ has used the AD Explorer tool to enumerate users on a victim’s network.2 |
| enterprise | T1098 | Account Manipulation | - |
| enterprise | T1098.003 | Additional Cloud Roles | LAPSUS$ has added the global admin role to accounts they have created in the targeted organization’s cloud instances.2 |
| enterprise | T1583 | Acquire Infrastructure | - |
| enterprise | T1583.003 | Virtual Private Server | LAPSUS$ has used VPS hosting providers for infrastructure.2 |
| enterprise | T1586 | Compromise Accounts | - |
| enterprise | T1586.002 | Email Accounts | LAPSUS$ has payed employees, suppliers, and business partners of target organizations for credentials.2 |
| enterprise | T1136 | Create Account | - |
| enterprise | T1136.003 | Cloud Account | LAPSUS$ has created global admin accounts in the targeted organization’s cloud instances to gain persistence.2 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | LAPSUS$ has obtained passwords and session tokens with the use of the Redline password stealer.2 |
| enterprise | T1485 | Data Destruction | LAPSUS$ has deleted the target’s systems and resources both on-premises and in the cloud.2 |
| enterprise | T1213 | Data from Information Repositories | LAPSUS$ has searched a victim’s network for organization collaboration channels like MS Teams or Slack to discover further high-privilege account credentials.2 |
| enterprise | T1213.001 | Confluence | LAPSUS$ has searched a victim’s network for collaboration platforms like Confluence and JIRA to discover further high-privilege account credentials.2 |
| enterprise | T1213.002 | Sharepoint | LAPSUS$ has searched a victim’s network for collaboration platforms like SharePoint to discover further high-privilege account credentials.2 |
| enterprise | T1213.003 | Code Repositories | LAPSUS$ has searched a victim’s network for code repositories like GitLab and GitHub to discover further high-privilege account credentials.2 |
| enterprise | T1005 | Data from Local System | LAPSUS$ uploaded sensitive files, information, and credentials from a targeted organization for extortion or public release.2 |
| enterprise | T1114 | Email Collection | - |
| enterprise | T1114.003 | Email Forwarding Rule | LAPSUS$ has set an Office 365 tenant level mail transport rule to send all mail in and out of the targeted organization to the newly created account.2 |
| enterprise | T1068 | Exploitation for Privilege Escalation | LAPSUS$ has exploited unpatched vulnerabilities on internally accessible servers including JIRA, GitLab, and Confluence for privilege escalation.2 |
| enterprise | T1133 | External Remote Services | LAPSUS$ has gained access to internet-facing systems and applications, including virtual private network (VPN), remote desktop protocol (RDP), and virtual desktop infrastructure (VDI) including Citrix. 2 |
| enterprise | T1589 | Gather Victim Identity Information | LAPSUS$ has gathered detailed information of target employees to enhance their social engineering lures.2 |
| enterprise | T1589.001 | Credentials | LAPSUS$ has gathered user identities and credentials to gain initial access to a victim’s organization; the group has also called an organization’s help desk to reset a target’s credentials.2 |
| enterprise | T1589.002 | Email Addresses | LAPSUS$ has gathered employee email addresses, including personal accounts, for social engineering and initial access efforts.2 |
| enterprise | T1591 | Gather Victim Org Information | - |
| enterprise | T1591.002 | Business Relationships | LAPSUS$ has gathered detailed knowledge of an organization’s supply chain relationships.2 |
| enterprise | T1591.004 | Identify Roles | LAPSUS$ has gathered detailed knowledge of team structures within a target organization.2 |
| enterprise | T1578 | Modify Cloud Compute Infrastructure | - |
| enterprise | T1578.002 | Create Cloud Instance | LAPSUS$ has created new virtual machines within the target’s cloud environment after leveraging credential access to cloud assets.2 |
| enterprise | T1578.003 | Delete Cloud Instance | LAPSUS$ has deleted the target’s systems and resources in the cloud to trigger the organization’s incident and crisis response process.2 |
| enterprise | T1111 | Multi-Factor Authentication Interception | LAPSUS$ has replayed stolen session token and passwords to trigger simple-approval MFA prompts in hope of the legitimate user will grant necessary approval.2 |
| enterprise | T1621 | Multi-Factor Authentication Request Generation | LAPSUS$ has spammed target users with MFA prompts in the hope that the legitimate user will grant necessary approval.2 |
| enterprise | T1588 | Obtain Capabilities | - |
| enterprise | T1588.001 | Malware | LAPSUS$ acquired and used the Redline password stealer in their operations.2 |
| enterprise | T1588.002 | Tool | LAPSUS$ has obtained tools such as AD Explorer inspection software for their operations.2 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.003 | NTDS | LAPSUS$ has used Windows built-in tool ntdsutil to extract the Active Directory (AD) database.2 |
| enterprise | T1003.006 | DCSync | LAPSUS$ has used DCSync attacks to gather credentials for privilege escalation routines.2 |
| enterprise | T1069 | Permission Groups Discovery | - |
| enterprise | T1069.002 | Domain Groups | LAPSUS$ has used the AD Explorer tool to enumerate groups on a victim’s network.2 |
| enterprise | T1090 | Proxy | LAPSUS$ has leverage NordVPN for its egress points when targeting intended victims.2 |
| enterprise | T1597 | Search Closed Sources | - |
| enterprise | T1597.002 | Purchase Technical Data | LAPSUS$ has purchased credentials and session tokens from criminal underground forums.2 |
| enterprise | T1593 | Search Open Websites/Domains | - |
| enterprise | T1593.003 | Code Repositories | LAPSUS$ has searched public code repositories for exposed credentials.2 |
| enterprise | T1199 | Trusted Relationship | LAPSUS$ has accessed internet-facing identity providers such as Azure Active Directory and Okta to target specific organizations.2 |
| enterprise | T1552 | Unsecured Credentials | - |
| enterprise | T1552.008 | Chat Messages | LAPSUS$ has targeted various collaboration tools like Slack, Teams, JIRA, Confluence, and others to hunt for exposed credentials to support privilege escalation and lateral movement.2 |
| enterprise | T1204 | User Execution | LAPSUS$ has recruited target organization employees or contractors who provide credentials and approve an associated MFA prompt, or install remote management software onto a corporate workstation, allowing LAPSUS$ to take control of an authenticated system.2 |
| enterprise | T1078 | Valid Accounts | LAPSUS$ has used compromised credentials and/or session tokens to gain access into a victim’s VPN, VDI, RDP, and IAMs.2 |
| enterprise | T1078.004 | Cloud Accounts | LAPSUS$ has used compromised credentials to access cloud assets within a target organization.2 |
Software
References
-
BBC. (2022, April 1). LAPSUS: Two UK Teenagers Charged with Hacking for Gang. Retrieved June 9, 2022. ↩
-
MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
UNIT 42. (2022, March 24). Threat Brief: Lapsus$ Group. Retrieved May 17, 2022. ↩