Skip to content
A new threat actor group is behind an infamous wave of attacks impacting companies like Microsoft, Nvidia, Okta, and most recently Globant, among others. LAPSUS$, tracked as DEV-0537 by Microsoft, is relatively less sophisticated than other hacking and extortion groups when it comes to tactics and procedures. However, what they lack in sophistication, they make up for in persistence.
According to Microsoft, LAPSUS$ gains illicit access mainly through social engineering tactics, which were focused on collecting intel on the business operations of their targets. The group uses a pure extortion and destruction model without deploying ransomware payloads. Though they originally focused on companies in the UK and South America, they have extended their reach to include global targets.
LAPSUS$ uses a variety of tactics to gain access to their victims’ networks, including the below.
- Deploying Redline password stealer malware to acquire passwords or session tokens
- Purchasing credentials and session tokens from criminal forums
- Searching for exposed passwords via public code repositories
- After obtaining passwords, they use a technique called MFA prompt bombing
- Utilizing SIM-swapping techniques to facilitate account takeovers
- Calling a target company’s help desk in an attempt to reset a privileged account’s credentials
- Recruiting employees, suppliers, or other partners of the organization to gain access to credentials and MFA approval
- Gaining access to personal or private accounts of employees at target organizations to search for additional credentials that could help gain access to corporate systems
After the access is obtained, “DEV-0537 typically connected a system to an organization’s VPN… creates global admin accounts in the organization’s cloud instances, sets an Office 365 tenant level mail transport rule to send all mail in and out of the organization to the newly created account, and then removes all other global admin accounts, so only the actor has sole control of the cloud resources… deletes the target’s systems and resources… then joining the organization’s crisis communication calls and internal discussion boards (Slack, Teams, conference calls, and others) to understand the incident response workflow and their corresponding response” (Microsoft Security Blog).
Microsoft is sharing information regarding detection, hunting, and mitigation when it comes to these attacks. You can read these HERE.
Click HERE to more about our Ransomware Prevention and Recovery Services! We are available 24×7 to assist you with any of your ransomware needs.
You want to enter in a fully burdened labor rate for this field. What that means is that you want to take the base hourly rate, plus 25-30% for employer payroll taxes, benefits, vacation/holiday time, etc.
Smoke testing is a type of software testing performed by Alvaka after a software patching sequence to ensure that the system is working correctly and to identify any misconfigurations or conflicts within the patched system.
This is a basic cost calculator for you to compute your typical monthly cost for patching your servers, PCs, laptops, tablets and associated application software. It also forms the basis for you to begin calculating your Return on Investment for software patching, or for comparison with alternatives to the manual process of patching operating systems and application software—such as Patch Management as a Service, also known as Vulnerability Management as a Service.
You want to enter in a fully burdened labor rate for this field. What that means is that you want to take the base hourly rate, plus 25-30% for employer payroll taxes, benefits, vacation/holiday time, etc.
Smoke testing is a term used to describe the testing process for servers after patches are applied.