WWCD: Could Conceal Have Stopped Lapsus$?
Could Conceal have stopped Lapsus$?
Several multinational companies have been in the news in recent months thanks to being victims of the prolific data extortion group known as Lapsus$. The most recent victims are Uber and Grand Theft Auto videogame producer Rockstar Games. However, Lapsus$ has been in the news for a majority of 2022 with successful attacks on Okta, Microsoft, Samsung, and others.
One of the group’s earliest high-profile attacks was against authentication management firm Okta, which is used by many companies to control access to all the software used by employees. Its role in the security chain meant that Okta’s security reputation is paramount to keeping the trust of its customers. Although Okta claimed it was able to contain the breach quickly, the high-profile attack meant that the company’s reputation suffered permanent damage.
Modus Operandi
So how does Lapsus$ operate? The group relies heavily on a combination of stolen credentials and social engineering to gain access to privileged accounts within a company. They then use that access to obtain sensitive data and demand a ransom to prevent the data’s release. The ransom demand is usually accompanied by a release of a sample of the data on publicly accessible channels, like Telegram, to put added pressure on the company to pay up.
The initial target of the attacks are typically peripheral employees or contractors that may be less knowledgeable about social engineering or might be less inclined to stringently follow security protocols. If the group can access sufficiently valuable data from this initial access, that could be the end of the attack. Otherwise, they use this initial access as a foothold to gather targeting information for further social engineering attacks against better-placed individuals in the target company.
Could these attacks have been prevented?
Lapsus$ expertly leverages the fact that people are not perfect. Regardless of training, they can be tricked into clicking malicious links, open malicious files, or provide multi-factor authentication tokens to third parties. The interactions between attacker and victim can happen on several channels, some of which are controlled by an organization and others that are not. There are several techniques that can be employed to prevent access escalation and limit what can be accessed once an attacker is in your network. But, ten times out of ten, it’s better to keep them from ever getting access in the first place.
How could Conceal have helped?
No single product is a cyber security panacea, but ConcealBrowse could have blocked some of Lapsus$’s credential-stealing techniques before they started. One of Lapsus$’s techniques is to steal credentials to gain their initial access, including getting users to click on malicious links that download the credential theft software to the user’s computer. The group also buys credentials from the dark web, and many times the groups selling those credentials have used the same technique.
The most common methods to prevent these attacks include training users to identify the links and not click on them. As we’ve seen, this method relies on teaching 100% of users to make the correct decision 100% of the time. ConcealBrowse eliminates this need. ConcealBrowse is the eyes, ears, and brain that protect users regardless of where they click and isolate questionable websites in a remote browser in the cloud, where any software downloads or zero-day exploits can’t affect a user’s device.