[MART] - Daily Diary #475 - Lapsus$ Hiring Insiders

CTAS-MAT ctas-mat at appgate.com
Tue Mar 22 21:56:29 UTC 2022

I hope everyone is doing well!

Below is the entry for today.

03/22/2022 - Diary entry #475

In our Daily Diary #464 we covered Lapsus$ recent attacks, having published stolen source codes from Samsung and Nvidia. This week the group claimed, on their Telegram channel, to have breached Okta, Inc.

On Lapsus$ Telegram channel they posted screenshots showing access to internal systems like Jira, Slack Google Calendar and more. After the incident, Okta published in their page claiming that no breach occurred and their systems remain fully operational. Okta claims that only a customer support engineer working for a third-party provided account was affected, and their systems alerted the provider and terminated the individual's account. It's not cleat yet the real extension of the damage in Okta's incident, as Lapsus$ is still replying to Okta's claims.

The details of Lapsus$ Modus operandi are still to be disclosed. After the Samsung incident, the group published in their channel an "insiders-for-hire" message, recruiting employees from "Telecommunications, large software/gaming corporations, callcenters/BPM or server hosts". They ask for employees with VPN, Citrix or "some Anydesk". This suggests Lapsus$ attacks can begin with insiders as an entry-point, rather than infecting computers with a custom malware or exploiting vulnerabilities on exposed services.

We highly recommend any company with a high number of employees (therefore more susceptible to have an insider) to adopt a ZeroTrust architecture, assuming all accounts and devices can be compromised at all times, adopting profiling and monitoring technologies to detect abnormal behavior and limit access. By defining security perimeters, companies can block sensitive data as soon as a breach is detected.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Duarte Domingues
Security Researcher

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220322/d4ff3ba0/attachment.htm>

More information about the MART mailing list