Home Blog BlueVoyant Monitoring the Cyber Criminal Group Lapsus$ BlueVoyant Monitoring the Cyber Criminal Group Lapsus$ BlueVoyant Share: Facebook Twitter LinkedIn In light of the Okta breach reported early Tuesday, BlueVoyant is closely monitoring the group that claimed credit, Lapsus$. Our threat intelligence team has been analyzing and following the financially-motivated cyber criminal group for some time to understand their tactics, potential targets, and how to prevent their attacks. What We Know Thus Far This is not the first high profile attack in which Lapsus$ has claimed responsibility. Other targets include the recent NVIDIA, Samsung, and Microsoft cyber attacks, plus more than one dozen victims in Portugal and across Latin America, according to BlueVoyant’s research. According to BlueVoyant’s threat intelligence, Lapsus$ is likely focusing on key cloud providers and other important industries, including telecommunications, large software companies, and server hosts. Late Monday, screenshots were shared online on a Telegram channel connected to Lapsus$, indicating they had likely gained access to Okta’s internal systems. Okta is an identity provider that enables organizations to authenticate users via its “single sign-on software” and has more than 15,000 customers, according to the company. It also manages about 100 million log-ins. BlueVoyant independently reviewed the posts. In response to these screenshots, Okta’s Chief Security Office, David Bradbury released the following message on Wednesday on its blog: “As with all security incidents, there are many opportunities for us to improve our processes and our communications. I’m confident that we are moving in the right direction and this incident will only serve to strengthen our commitment to security.” By Wednesday afternoon, it was revealed that Lapsus$ had accessed and Okta client’s employee account who had been providing customer service to Okta users, according to Okta. The hack exposed how Lapsus$ found a way to capture customers’ data without directling infiltrating Okta. After accessing the client employee’s account, Lapsus$ was then able to peep on roughly 2.5% of Okta’s customers, 366 customers, while acquiring customer information and gaining the ability to reset passwords. Okta admitted later that the breach occurred for five days, with Lapsus$ resetting passwords and codes. Who is Lapsus$? What makes Lapsus$ different from other high-profile cyber criminal groups is that they appear to focus on data exfiltration to extort their victims. Most similar groups use ransomware that encrypts victims’ networks. Lapsus$ thus far has communicated with the public through a dedicated Telegram channel. Many other groups instead use dark websites hosted on Tor. According to BlueVoyant’s threat intelligence, Lapsus$ operatives appear to communicate in English and Portuguese, and circumstantial facts suggest that Lapsus$ operatives are based in Brazil and/or Portugal. On their Telegram channel, Lapsus$ has been actively recruiting insiders at target companies to facilitate data exfiltration since March 10. The group has offered to pay these insiders. It is currently unknown how they have obtained their alleged data. How to Protect Yourself Organizations are advised to watch ongoing developments and should be actively monitoring their environments including: Using multi-factor authentication; Review system logs for indicators of compromise/suspicious activity; Limit employee access to sensitive data to only those that need access; and Take this opportunity to review all important configurations of your software/service providers; The best course of action for all organizations is to operate under a heightened sense of awareness. Share: Facebook Twitter LinkedIn Related reading Ransomware Why Are the Consequences of Ransomware Attacks Rarely Fully Understood? May 24, 2022 According to BlueVoyant’s ransomware research, unsuspecting victims suffer the consequences, such as layoffs, medical treatment delays, travel… Read more Ransomware From Ransomware to the U.K.’s Cybersecurity Strategy May 20, 2022 In the past couple of years, ransomware attacks have doubled and – in some instances – quadrupled in frequency, as noted in BlueVoyant’s Ransomware… Read more Microsoft Security BlueVoyant Awarded L4 Cloud Security Rockstar Team from Microsoft Private Security Community May 17, 2022 This week, Caleb Freitas and Mona Ghadiri received the L4 Cloud Security Rockstar Team award on behalf of BlueVoyant. Read more
BlueVoyant Share: Facebook Twitter LinkedIn In light of the Okta breach reported early Tuesday, BlueVoyant is closely monitoring the group that claimed credit, Lapsus$. Our threat intelligence team has been analyzing and following the financially-motivated cyber criminal group for some time to understand their tactics, potential targets, and how to prevent their attacks. What We Know Thus Far This is not the first high profile attack in which Lapsus$ has claimed responsibility. Other targets include the recent NVIDIA, Samsung, and Microsoft cyber attacks, plus more than one dozen victims in Portugal and across Latin America, according to BlueVoyant’s research. According to BlueVoyant’s threat intelligence, Lapsus$ is likely focusing on key cloud providers and other important industries, including telecommunications, large software companies, and server hosts. Late Monday, screenshots were shared online on a Telegram channel connected to Lapsus$, indicating they had likely gained access to Okta’s internal systems. Okta is an identity provider that enables organizations to authenticate users via its “single sign-on software” and has more than 15,000 customers, according to the company. It also manages about 100 million log-ins. BlueVoyant independently reviewed the posts. In response to these screenshots, Okta’s Chief Security Office, David Bradbury released the following message on Wednesday on its blog: “As with all security incidents, there are many opportunities for us to improve our processes and our communications. I’m confident that we are moving in the right direction and this incident will only serve to strengthen our commitment to security.” By Wednesday afternoon, it was revealed that Lapsus$ had accessed and Okta client’s employee account who had been providing customer service to Okta users, according to Okta. The hack exposed how Lapsus$ found a way to capture customers’ data without directling infiltrating Okta. After accessing the client employee’s account, Lapsus$ was then able to peep on roughly 2.5% of Okta’s customers, 366 customers, while acquiring customer information and gaining the ability to reset passwords. Okta admitted later that the breach occurred for five days, with Lapsus$ resetting passwords and codes. Who is Lapsus$? What makes Lapsus$ different from other high-profile cyber criminal groups is that they appear to focus on data exfiltration to extort their victims. Most similar groups use ransomware that encrypts victims’ networks. Lapsus$ thus far has communicated with the public through a dedicated Telegram channel. Many other groups instead use dark websites hosted on Tor. According to BlueVoyant’s threat intelligence, Lapsus$ operatives appear to communicate in English and Portuguese, and circumstantial facts suggest that Lapsus$ operatives are based in Brazil and/or Portugal. On their Telegram channel, Lapsus$ has been actively recruiting insiders at target companies to facilitate data exfiltration since March 10. The group has offered to pay these insiders. It is currently unknown how they have obtained their alleged data. How to Protect Yourself Organizations are advised to watch ongoing developments and should be actively monitoring their environments including: Using multi-factor authentication; Review system logs for indicators of compromise/suspicious activity; Limit employee access to sensitive data to only those that need access; and Take this opportunity to review all important configurations of your software/service providers; The best course of action for all organizations is to operate under a heightened sense of awareness. Share: Facebook Twitter LinkedIn Related reading Ransomware Why Are the Consequences of Ransomware Attacks Rarely Fully Understood? May 24, 2022 According to BlueVoyant’s ransomware research, unsuspecting victims suffer the consequences, such as layoffs, medical treatment delays, travel… Read more Ransomware From Ransomware to the U.K.’s Cybersecurity Strategy May 20, 2022 In the past couple of years, ransomware attacks have doubled and – in some instances – quadrupled in frequency, as noted in BlueVoyant’s Ransomware… Read more Microsoft Security BlueVoyant Awarded L4 Cloud Security Rockstar Team from Microsoft Private Security Community May 17, 2022 This week, Caleb Freitas and Mona Ghadiri received the L4 Cloud Security Rockstar Team award on behalf of BlueVoyant. Read more
Ransomware Why Are the Consequences of Ransomware Attacks Rarely Fully Understood? May 24, 2022 According to BlueVoyant’s ransomware research, unsuspecting victims suffer the consequences, such as layoffs, medical treatment delays, travel… Read more
Ransomware From Ransomware to the U.K.’s Cybersecurity Strategy May 20, 2022 In the past couple of years, ransomware attacks have doubled and – in some instances – quadrupled in frequency, as noted in BlueVoyant’s Ransomware… Read more
Microsoft Security BlueVoyant Awarded L4 Cloud Security Rockstar Team from Microsoft Private Security Community May 17, 2022 This week, Caleb Freitas and Mona Ghadiri received the L4 Cloud Security Rockstar Team award on behalf of BlueVoyant. Read more