Rewterz Threat Update – LAPSUS$/DEV-0537 Group Targeting Organizations

Severity

High

Analysis Summary

LAPSUS$ Ransomware (aka DEV-0537) is a new and emerging ransomware group that has successfully attacked major conglomerates. Like most ransomware groups, LAPSUS$ also infiltrates organizations with a phishing attack. From there on, they exploit vulnerabilities like privilege escalation to get hold of administrative rights and blatantly display their abilities. LAPSUS$ Threat group has allegedly breached Okta. This news comes in the same week when the group announced their infiltration of Microsoft’s Azure DevOps. If the shared screenshots are true, then LAPSUS$ has access to Microsoft’s internal source-code repositories.

The gang has previously (allegedly) compromised NVIDIA, Samsung, Vodafone, Mercado Libre, and Ubisoft.

Microsoft confirmed this leak in an advisory:

“This week, the actor made public claims that they had gained access to Microsoft and exfiltrated portions of source code. No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity.” reads the post published by Microsoft. “Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.”

TTPs (Tactics, Techniques, and Procedures) of the groups are:

• Using Redline password stealer to obtain session tokens and passwords.
• Using underground criminal forums to purchase compromised credentials.
• They have also started a recruitment campaign for insiders employed at conglomerates like Microsoft, Apple, and IBM.
• Searching for exposed credentials in public code repositories.

Impact

• Financial Theft
• Data Breach

Reference

• https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/

Remediation

• Logging – Log your eCommerce environment’s network activity and web server activity.
• Passwords – Ensure that general security policies are employed including: implementing strong passwords, correct configurations, and proper administration security policies.
• Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
• WAF – Web defacement must be stopped at the web application level. Therefore, set up a Web Application Firewall with rules to block suspicious and malicious requests.
• Patch – Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Secure Coding – Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• 2FA – Enable two-factor authentication.
• Antivirus – Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using a multi-layered protection is necessary to secure vulnerable assets