LAPSUS$
LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.[1][2][3]
Associated Group Descriptions
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1213 | .001 | 从信息存储库获取数据: Confluence |
LAPSUS$ has searched a victim's network for collaboration platforms like Confluence and JIRA to discover further high-privilege account credentials.[2] |
| .002 | 从信息存储库获取数据: Sharepoint |
LAPSUS$ has searched a victim's network for collaboration platforms like SharePoint to discover further high-privilege account credentials.[2][5] |
||
| .003 | 从信息存储库获取数据: Code Repositories |
LAPSUS$ has searched a victim's network for code repositories like GitLab and GitHub to discover further high-privilege account credentials.[2][5] |
||
| .005 | 从信息存储库获取数据: Messaging Applications |
LAPSUS$ has searched a victim's network for organization collaboration channels like MS Teams or Slack to discover further high-privilege account credentials.[2] |
||
| Enterprise | T1555 | .003 | 从密码存储中获取凭证: Credentials from Web Browsers |
LAPSUS$ has obtained passwords and session tokens with the use of the Redline password stealer.[2] |
| .005 | 从密码存储中获取凭证: Password Managers |
LAPSUS$ has accessed local password managers and databases to obtain further credentials from a compromised network.[5] |
||
| Enterprise | T1005 | 从本地系统获取数据 |
LAPSUS$ uploaded sensitive files, information, and credentials from a targeted organization for extortion or public release.[2] |
|
| Enterprise | T1090 | 代理 |
LAPSUS$ has leverage NordVPN for its egress points when targeting intended victims.[2] |
|
| Enterprise | T1656 | 伪装 |
LAPSUS$ has called victims' help desk and impersonated legitimate users with previously gathered information in order to gain access to privileged accounts.[2] |
|
| Enterprise | T1199 | 信任关系 |
LAPSUS$ has accessed internet-facing identity providers such as Azure Active Directory and Okta to target specific organizations.[2] |
|
| Enterprise | T1598 | .004 | 信息钓鱼: Spearphishing Voice |
LAPSUS$ has called victims' help desk to convince the support personnel to reset a privileged account’s credentials.[2] |
| Enterprise | T1578 | .002 | 修改云计算基础设施: Create Cloud Instance |
LAPSUS$ has created new virtual machines within the target's cloud environment after leveraging credential access to cloud assets.[2] |
| .003 | 修改云计算基础设施: Delete Cloud Instance |
LAPSUS$ has deleted the target's systems and resources in the cloud to trigger the organization's incident and crisis response process.[2] |
||
| Enterprise | T1136 | .003 | 创建账户: Cloud Account |
LAPSUS$ has created global admin accounts in the targeted organization's cloud instances to gain persistence.[2] |
| Enterprise | T1584 | .002 | 基础设施妥协: DNS Server |
LAPSUS$ has reconfigured a victim's DNS records to actor-controlled domains and websites.[5] |
| Enterprise | T1133 | 外部远程服务 |
LAPSUS$ has gained access to internet-facing systems and applications, including virtual private network (VPN), remote desktop protocol (RDP), and virtual desktop infrastructure (VDI) including Citrix. [2][5] |
|
| Enterprise | T1111 | 多因素身份验证拦截 |
LAPSUS$ has replayed stolen session token and passwords to trigger simple-approval MFA prompts in hope of the legitimate user will grant necessary approval.[2] |
|
| Enterprise | T1621 | 多因素身份验证请求生成 |
LAPSUS$ has spammed target users with MFA prompts in the hope that the legitimate user will grant necessary approval.[2] |
|
| Enterprise | T1593 | .003 | 搜索开放网站/域: Code Repositories |
LAPSUS$ has searched public code repositories for exposed credentials.[2] |
| Enterprise | T1597 | .002 | 搜索闭源: Purchase Technical Data |
LAPSUS$ has purchased credentials and session tokens from criminal underground forums.[2] |
| Enterprise | T1003 | .003 | 操作系统凭证转储: NTDS |
LAPSUS$ has used Windows built-in tool |
| .006 | 操作系统凭证转储: DCSync |
LAPSUS$ has used DCSync attacks to gather credentials for privilege escalation routines.[2] |
||
| Enterprise | T1591 | .002 | 收集受害者组织信息: Business Relationships |
LAPSUS$ has gathered detailed knowledge of an organization's supply chain relationships.[2] |
| .004 | 收集受害者组织信息: Identify Roles |
LAPSUS$ has gathered detailed knowledge of team structures within a target organization.[2] |
||
| Enterprise | T1589 | 收集受害者身份信息 |
LAPSUS$ has gathered detailed information of target employees to enhance their social engineering lures.[2] |
|
| .001 | Credentials |
LAPSUS$ has gathered user identities and credentials to gain initial access to a victim's organization; the group has also called an organization's help desk to reset a target's credentials.[2][5] |
||
| .002 | Email Addresses |
LAPSUS$ has gathered employee email addresses, including personal accounts, for social engineering and initial access efforts.[2] |
||
| Enterprise | T1485 | 数据销毁 |
LAPSUS$ has deleted the target's systems and resources both on-premises and in the cloud.[2][5] |
|
| Enterprise | T1078 | 有效账户 |
LAPSUS$ has used compromised credentials and/or session tokens to gain access into a victim's VPN, VDI, RDP, and IAMs.[2][5] |
|
| .004 | Cloud Accounts |
LAPSUS$ has used compromised credentials to access cloud assets within a target organization.[2] |
||
| Enterprise | T1489 | 服务停止 |
LAPSUS$ has shut down virtual machines from within a victim's on-premise VMware ESXi infrastructure.[5] |
|
| Enterprise | T1552 | .008 | 未加密凭证: Chat Messages |
LAPSUS$ has targeted various collaboration tools like Slack, Teams, JIRA, Confluence, and others to hunt for exposed credentials to support privilege escalation and lateral movement.[2] |
| Enterprise | T1068 | 权限提升漏洞利用 |
LAPSUS$ has exploited unpatched vulnerabilities on internally accessible servers including JIRA, GitLab, and Confluence for privilege escalation.[2] |
|
| Enterprise | T1069 | .002 | 权限组发现: Domain Groups |
LAPSUS$ has used the AD Explorer tool to enumerate groups on a victim's network.[2] |
| Enterprise | T1204 | 用户执行 |
LAPSUS$ has recruited target organization employees or contractors who provide credentials and approve an associated MFA prompt, or install remote management software onto a corporate workstation, allowing LAPSUS$ to take control of an authenticated system.[2] |
|
| Enterprise | T1114 | .003 | 电子邮件收集: Email Forwarding Rule |
LAPSUS$ has set an Office 365 tenant level mail transport rule to send all mail in and out of the targeted organization to the newly created account.[2] |
| Enterprise | T1583 | .003 | 获取基础设施: Virtual Private Server |
LAPSUS$ has used VPS hosting providers for infrastructure.[2] |
| Enterprise | T1588 | .001 | 获取能力: Malware |
LAPSUS$ acquired and used the Redline password stealer in their operations.[2] |
| .002 | 获取能力: Tool |
LAPSUS$ has obtained tools such as RVTools and AD Explorer for their operations.[2][5] |
||
| Enterprise | T1087 | .002 | 账号发现: Domain Account |
LAPSUS$ has used the AD Explorer tool to enumerate users on a victim's network.[2][5] |
| Enterprise | T1586 | .002 | 账号妥协: Email Accounts |
LAPSUS$ has payed employees, suppliers, and business partners of target organizations for credentials.[2][5] |
| Enterprise | T1098 | .003 | 账号操控: Additional Cloud Roles |
LAPSUS$ has added the global admin role to accounts they have created in the targeted organization's cloud instances.[2] |
| Enterprise | T1531 | 账号访问移除 |
LAPSUS$ has removed a targeted organization's global admin accounts to lock the organization out of all access.[2] |
|
| Mobile | T1451 | SIM Card Swap |
LAPSUS$ has used SIM swapping to gain access to victims’ mobile devices.[6][7] |
|
Software
References
- BBC. (2022, April 1). LAPSUS: Two UK Teenagers Charged with Hacking for Gang. Retrieved June 9, 2022.
- MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.
- UNIT 42. (2022, March 24). Threat Brief: Lapsus$ Group. Retrieved May 17, 2022.
- Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
- Brown, D., et al. (2022, April 28). LAPSUS$: Recent techniques, tactics and procedures. Retrieved December 22, 2022.
- Krebs, B. (2022, March 23). A Closer Look at the LAPSUS$ Data Extortion Group. Retrieved January 27, 2025.
- Microsoft Incident Response, Microsoft Threat Intelligence . (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved January 27, 2025.