LAPSUS$ is evidently a dynamic and flexible threat actor, using a wide range of tactics. Therefore, the utility of scanning for IOCs related to their tooling or infrastructure will undoubtedly be short-lived. Furthermore, we should assume that LAPSUS$ and other threat actors are closely following public reporting about their activity and will probably adapt their tradecraft to overcome brittle or overly specific mitigation efforts.
All the recommendations listed here are considered industry best practices. Still, we have prioritized courses of action best suited to minimize the risks associated with this type of malicious activity – primarily credential compromise and data exfiltration.
Additionally, specific guidance is included for Wiz customers to help ensure their environments are protected.
For further security guidance related to this malicious activity and more specific instructions for hardening Azure environments, see the recommendations outlined in Microsoft’s report on DEV-0537.
Characterizing the threat to cloud environments
Generally speaking, we can identify three stages of the attack flow adopted by the LAPSUS$ group:
- Gaining initial access through compromised users – First, the attackers obtain initial access to the target systems by impersonating user accounts via stolen credentials or by infiltrating publicly exposed resources through insecure authentication. Therefore, the effective attack surface at this stage is composed primarily of externally accessible user accounts (the more privileged the better, as far as the attacker is concerned).
- Abusing access to exploit unpatched applications and gather exposed secrets – Once the attackers gain access to a target account, they set out to abuse the permissions of whatever user accounts, resources and service accounts are accessible to them. To this end, they search for secrets exposed on internal resources, and attempt to exploit vulnerable internal systems and applications – which weren’t at risk in the first stage – for the purpose of escalating their privileges in the target cloud infrastructure environment.
- Gaining access to internal cloud infrastructure resources – The attackers then pivot on newly gained permissions in order to expand their scope of access and control within the cloud environment, until they reach resources containing valuable assets such as code or sensitive information that can be used for extortion.
We can therefore conclude that LAPSUS$ and “LAPSUS$-like” attackers would be impeded by effective patch and secret management, minimal permissions, secure authentication, as well as security-by-design – for example, partitioning business, development and production environments would limit their potential reach even if they successfully compromised a user account. In the next section, we shall derive practical defensive measures from these observations.
Actionable steps to harden your cloud environment
#1 – Enforce MFA and require MFA for accessing sensitive resources
Although multi-factor authentication is not bulletproof, and threat actors such as LAPSUS$ have discovered ways to bypass it under certain circumstances, it remains an effective and proven defensive mechanism against account compromise. CISA, Google, and Microsoft highly recommend it.
Javascript
We’ll work with JSF’s RESTful API to provide a common API for data collection and retrieval. From there, we can create JSF services that can return either a JSON or a JSON-API document. These services are written in JavaScript, but we can also use JSF’s JSON API as a library.
The best way to get a real understanding over these services, is via the JIT API. The JIT API represents all the JSF implementations that you can use or integrate with JSF. It contains all the available JVM, ES6, and JavaScript implementations and provides two ways you can interact with the service:
In a JIT application, you perform various action (e.g., submit the request). In order to perform this action, you specify a command to
We’ve seen some of the features that make JSON applications such as RESTful APIs more reliable than others, and the best places to go to learn about Lambda are Google Developer Tools (developerspaces), CloudDB, and AWS Lambda. To give you some basic recommendations, here’s how to use Lambda as a library to build services, service lifecycle management (SIL), and APIs that require no special setup.
In this section, we’ve summarized each of those features and their specific use cases.
Javascript
We’ll work with JSF’s RESTful API to provide a common API for data collection and retrieval. From there, we can create JSF services that can return either a JSON or a JSON-API document. These services are written in JavaScript, but we can also use JSF’s JSON API as a library.
The best way to get a real understanding over these services, is via the JIT API. The JIT API represents all the JSF implementations that you can use or integrate with JSF. It contains all the available JVM, ES6, and JavaScript implementations and provides two ways you can interact with the service:
In a JIT application, you perform various action (e.g., submit the request). In order to perform this action, you specify a command to
We’ve seen some of the features that make JSON applications such as RESTful APIs more reliable than others, and the best places to go to learn about Lambda are Google Developer Tools (developerspaces), CloudDB, and AWS Lambda. To give you some basic recommendations, here’s how to use Lambda as a library to build services, service lifecycle management (SIL), and APIs that require no special setup.
In this section, we’ve summarized each of those features and their specific use cases.
Javascript
We’ll work with JSF’s RESTful API to provide a common API for data collection and retrieval. From there, we can create JSF services that can return either a JSON or a JSON-API document. These services are written in JavaScript, but we can also use JSF’s JSON API as a library.
The best way to get a real understanding over these services, is via the JIT API. The JIT API represents all the JSF implementations that you can use or integrate with JSF. It contains all the available JVM, ES6, and JavaScript implementations and provides two ways you can interact with the service:
In a JIT application, you perform various action (e.g., submit the request). In order to perform this action, you specify a command to