On March 21, 2022, LAPSUS$ gang published a series of posts in their Telegram channel displaying screenshots of what they called Microsoft Bing and Cortana visual assistant source code. Besides 40 Gb of leaked data, they also showed a compromised administrative account of Okta, a platform that provides digital identity verification for individuals and organizations.

The last one is especially alarming because Okta’s products, including identity management tools are used by thousands of large organizations. Among big names are Nvidia, Cloudflare, Samsung, and the U.S. Department of Justice. LAPSUS$ group claimed that they had access to Okta’s internal tools, such as Slack, Jira, Splunk, AWS since January 2022. Okta confirmed access to one of the engineer’s laptops but declined the compromise of the service itself. They also mentioned that roughly 2.5% of Okta’s customers might have been affected. Media outlets already called this incident “SolarWinds 2.0”, yet the consequences of this breach are exponentially more extreme.

Okta: LAPSUS$ Breach Detection

To detect suspicious behavior of account impersonation on OKTA platform, you can deploy the following Sigma rule created by our prominent Threat Bounty developer Emir Erdogan:

Impersonation of An OKTA Account (Possible LAPSUS behavior)

This detection has translations to the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Sumo Logic, ArcSight, QRadar, Humio, FireEye, LogPoint, Graylog, Regex Grep, RSA NetWitness, Apache Kafka ksqlDB, Qualys.

The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Access Token Manipulation technique (T1134) that belongs to tactics such as Defense Evasion and Privilege Escalation.

To stay ahead of the emerging cyber threats, explore a collection of curated Sigma rules available in the Threat Detection Marketplace repository of the SOC Prime platform. And if you’re a researcher or threat hunter with a solid experience, you can contribute to the global safety by joining our Threat Bounty Program and submitting your own detection content.

View Detections Join Threat Bounty

LAPSUS$ Ransomware: Newest Research

Microsoft Threat Intelligence Center (MSTIC) conducted a detailed investigation on LAPSUS$ Gang activity, which they also call DEV-0537. LAPSUS$ data kidnappers, according to Microsoft, specialize in extortion and destruction, aiming at accounts of precise individuals working in global organizations as initial access targets. 

The common kill chain by LAPSUS$ group looks like:

• Initial Access: executing social engineering, Redline stealer, purchased credentials on dark markets, bribed insiders, exposed credentials in public repositories, SIM-swapping attack.
• Credential Access: getting access to internet-facing systems and applications like Okta to meet Multi-factor authentication (MFA) requirements.
• Privilege Escalation: gaining visibility via accounts in Jira, Slack, Gitlab, Confluence for reconnaissance.
• Exfiltration, Destruction, and Impact: using NordVPN egress points, downloading sensitive data, then using it for extortion or uploading to public sources.

Unlike many other extortion gangs, the data extortion group LAPSUS$ acts publicly. They go as far as announcing their intent on social media and “hiring” insiders on their Telegram channel. Another rare tactic is that they join incident response team communications after they leaked the data in an attempt to understand the victim’s internal processes.

Explore SOC Prime’s Detection as Code platform to access the highest-quality SIGMA rules along with translations to more than 20 vendor-specific SIEM, EDR, and XDR formats. Accurate and timely detection is key to organizing efficient SOC 24/7/365 while your engineers can take up more advanced tasks.