LAPSUS$ aka Scattered Spider: Threat Card and Dossiers

LAPSUS$ aka Scattered Spider: Threat Card and Dossiers
2023-12-22 23:26:30 Author: krypt3ia.wordpress.com(查看原文) 阅读量:8 收藏

This Threat Intelligence Report on LAPSUS$ was created in tandem between ChatGPT4 (Incebreaker Intel Analyst Agent) and Scot Terban

The LAPSUS$ threat actor group, first emerging in late 2021, is known for its high-profile breaches and data extortion activities, targeting several notable organizations. Here’s a comprehensive dossier on LAPSUS$:

Overview and Significant Breaches:

The LAPSUS$ group, emerging prominently in late 2021, rapidly gained infamy in the cyber world for its series of audacious breaches and data extortion schemes. Here’s an expanded dossier on LAPSUS$ with more detail on their activities, timeline, and recent legal developments:

Initial Emergence and High-Profile Breaches:

Late 2021: LAPSUS$ first came into the limelight with their attack on Electronic Arts, claiming to have obtained 780 GB of data, including FIFA 2021 source code.

March 2022: The group escalated its operations, publicly targeting and compromising major companies like NVIDIA, Microsoft, and Okta. Their attacks were not limited to the tech industry; they also breached LG Electronics, Samsung, Huawei, and Alcatel.

Recruitment and Expansion:

The recruitment and expansion strategies of LAPSUS$ played a critical role in their rapid rise and the effectiveness of their cyber operations. By November 2021, their methods had evolved to actively include the recruitment of insiders from major companies, leveraging social media platforms as their primary channels for outreach. Here’s an expanded view of this aspect:

Recruitment Strategy:

Social Media Utilization: LAPSUS$ used multiple social media platforms to connect with potential recruits. This approach allowed them to cast a wide net and target individuals in various organizations.

Financial Incentives: They offered substantial financial rewards, reportedly up to $20,000 per week, to entice employees into collaborating with them. These offers were aimed at employees of major corporations, indicating a clear strategy to infiltrate high-value targets.

Target Companies:

Telecommunications Sector: Among the specific targets were employees at leading telecommunications companies such as AT&T, T-Mobile, and Verizon. The choice of these companies demonstrates LAPSUS$’s interest in accessing networks with extensive reach and valuable data.

Recruitment Ads:

Language and Reach: The recruitment advertisements were often written in both English and Portuguese, suggesting a focus on a broad, international pool of potential collaborators. This bilingual approach indicates an understanding of the global nature of the cybersecurity landscape.

Online Forums and Channels: LAPSUS$ used online forums and channels like Telegram to post these recruitment messages. These platforms provided anonymity and a direct line to potential recruits in the cybercriminal community.

Expansion Implications:

Increased Operational Capability: By recruiting insiders, LAPSUS$ significantly enhanced its ability to penetrate secure networks and access sensitive information.
Diversification of Tactics: The use of insiders meant that LAPSUS$ could diversify its tactics beyond traditional hacking methods, adding layers of complexity to their attacks.
Geographical Spread: The inclusion of Portuguese in their recruitment ads and the targeting of Latin American and Portuguese companies indicate a geographical expansion of their operations.

Challenges and Risks:

Operational Security: While recruiting insiders provided significant advantages, it also introduced risks. Insiders could potentially expose the group’s activities or become points of failure in their operational security.
Law Enforcement Attention: This aggressive recruitment strategy likely contributed to increased scrutiny from law enforcement agencies, leading to eventual arrests and legal actions against group members.

Arrests and Legal Proceedings:

March 24, 2022: Seven individuals between the ages of 16 and 21 were arrested by the City of London Police in relation to LAPSUS$. These arrests marked a significant crackdown on the group’s activities.
Post-Arrest Downturn: Following these arrests, the overt and public activities of LAPSUS$ decreased. However, they briefly resurfaced in September 2022 with an incident involving Uber.
Legal Outcomes: Among the arrested, a prominent member known as White, along with a 17-year-old, faced legal proceedings. The court case proceeded until August 2023, resulting in convictions. The member known as White received an order to indefinitely remain in a secure psychiatric facility.

Current Status and Ongoing Relevance:

As of the latest information, there has been a notable decline in LAPSUS$’s activities following the legal actions and arrests. However, the impact of their operations on cybersecurity practices and the ongoing circulation of the tactics they popularized remain significant.

Law Enforcement Interaction and Downturn:

The City of London Police arrested seven teenagers in March 2022 in relation to LAPSUS$. Following these arrests, the group’s overt and public activities decreased. However, there was a brief resurgence in September 2022 when Uber reported a cybersecurity incident attributed to LAPSUS$. In October 2022, Brazilian police arrested an individual suspected of being associated with LAPSUS$. Since then, there has been a notable decline in the group’s activities

Threat Actor Dossiers:

Oklaqq/WhiteDoxbin: Identified as a core and possibly the leader of LAPSUS$. This individual used multiple nicknames across various platforms, including Telegram channels. He has been associated with the nicknames “Oklaqq” and “WhiteDoxbin” and is known for posting recruitment messages on Reddit.

Oklaqq, also known as WhiteDoxbin, has been active in recruiting insiders for the group via social media platforms since at least November 2021. He offered employees at major mobile providers up to $20,000 a week for performing “inside jobs.” Prior to LAPSUS$, WhiteDoxbin was a founding member of the cybercriminal group “Recursion Team,” known for SIM swapping and participating in “swatting” attacks. WhiteDoxbin was also involved in buying and selling zero-day vulnerabilities and had a significant amount of cryptocurrency (around 300BTC, close to $14 million)

Arion Kurtaj:

Arion Kurtaj, identified as a key member of the LAPSUS$ cybercrime group, has been involved in several high-profile cyber attacks. A resident of Oxford, England, and now 18 years old, Kurtaj played a pivotal role in the operations of the LAPSUS$ group. His involvement included hacking into major tech corporations such as Uber, Nvidia, and Rockstar Games. One of his most notable actions was the leak of footage from the yet-to-be-released Grand Theft Auto 6 game

Kurtaj’s life took a challenging turn during his early teenage years when he left formal schooling following a physical attack on his mother, leading to a brief stay in social care. His time in social care was cut short due to an assault by a staff member, after which his mother resumed his care. However, monitoring his computer usage proved challenging for his mother. According to Claudia Camden-Smith, the doctor overseeing his adult care, hacking provided Kurtaj with a sense of “street cred,” and he sought to be perceived as “trendy and risky” like his peers, despite his vulnerabilities not being entirely represented by his diagnoses

Kurtaj was handed an indefinite hospital order due to his involvement with LAPSUS$ and his actions while in detention, which included violence and property damage. Medical professionals deemed him unfit to stand trial because of his severe autism, leading the jury to focus solely on whether he committed the alleged crimes, not his criminal intent. A mental health evaluation revealed his high motivation to resume cybercrime activities as soon as possible

During the same trial, another 17-year-old LAPSUS$ member was found guilty of collaborating with Kurtaj and others to breach tech giants such as Nvidia and telcos like BT/EE, before attempting to extort them for a $4 million ransom. This unnamed minor was sentenced in a Youth Rehabilitation Order for 18 months with a ban on using VPNs online

In 2022, Kurtaj was arrested twice in connection with LAPSUS$ hacking activity. Despite having his laptop confiscated, he circumvented his bail conditions using an Amazon Fire Stick to connect to cloud computing services, which enabled him to conduct the GTA 6 leak

LAPSUS$ is responsible for several high-profile cyberattacks, including those on Okta, Uber, fintech giant Revolut, and Microsoft’s internal Azure server. The group is known for stealing and holding onto victims’ proprietary data, threatening to publish it if their extortion demands are not met. They have claimed responsibility for breaches at companies like LG Electronics, Samsung, and Mercado Libre.

UNSUB Teenager in Brazil:

Another core member of the LAPSUS$ group is a teenager based in Brazil. Details about this individual emerged following the arrest by the Brazilian Federal Police in Feira de Santana, Bahia. This arrest, part of Operation Dark Cloud launched in August 2022, was a result of investigations that started in December 2021 following a breach of Brazil’s Ministry of Health. The attackers, believed to be associated with LAPSUS$, deleted files and defaced the Ministry’s website, claiming they had stolen data from the ministry’s network. This breach led to the temporary unavailability of COVID-19 vaccination information for millions of citizens.

The Brazilian Federal Police’s investigations targeted multiple cyberattacks on Brazilian government agencies. Besides the Ministry of Health, the group also targeted the Ministry of Economy, the Comptroller General of the Union, and the Federal Highway Police. The crimes identified in the investigation included criminal organization, invasion of a computer device, interruption or disturbance of telecommunication services, corruption of minors, and money laundering.

London Arrests in March 2022:

On March 24, 2022, the City of London Police arrested seven teenagers aged between 16 and 21 for their alleged connections to the LAPSUS$ extortion gang. This group was linked to a series of attacks targeting companies such as NVIDIA, Samsung, Ubisoft, LG, Microsoft, and Okta. The investigation, which involved multiple partners, led to these arrests, with all individuals being released under investigation while inquiries continued

Among those arrested was a teenager from Oxford, known under the alias “White” or “Breachbase.” He was suspected of being the mastermind behind LAPSUS$, responsible for accumulating about $14 million in Bitcoin from hacking activities. The police did not confirm if this individual was among those arrested. However, his identity was disclosed after rival hackers leaked his personal information online, including his home address and details about his parents

The LAPSUS$ group is notable for its brazen tactics and low-cost techniques, revealing weaknesses in cyber infrastructure. The group actively recruited insiders through social media platforms like Reddit and Telegram and was involved in a data breach at Electronic Arts. This unorthodox group, characterized by Microsoft as not covering its tracks, combined phone-based social engineering and insider access to target organizations

Arion Kurtaj, an 18-year-old from Oxford and a key member of LAPSUS$, was arrested twice in 2022 and was believed to be among the group’s leaders. Kurtaj, known as “White” and “Breachbase,” was involved in hacking multiple high-profile companies and demanding ransoms. Despite his autism, which made him unfit to stand trial, a jury was asked to determine his responsibility for the alleged hacking activities. It was believed that after his arrest, he breached the City of London Police cloud storage and targeted companies like Revolut, Uber, and Rockstar Games for ransom. While on bail, he leaked gameplay videos from the unreleased Grand Theft Auto 6 game. Kurtaj was convicted for his involvement in these activities.

SigmA:

This pseudonym was used by a member who might be a high-ranking individual within LAPSUS$. This member was also known as “wh1te” and “Breachbase” in the underground.

The alias “SigmA” has been associated with a high-ranking member of the LAPSUS$ cybercrime group, a 16-year-old teenager residing in Kidlington, England. This individual was also known by the pseudonyms “wh1te” and “Breachbase” and was actively involved in several notable cybercriminal activities:

Acquisition and Mismanagement of Doxbin: In November 2021, SigmA purchased the website Doxbin for $75,000. However, this acquisition led to a downfall, as SigmA was accused of running the site into the ground, breaking several of its functions, and ultimately reducing its reputation. This led to a feud with the former owner, “KT,” who eventually bought back the site at a much lower price

Retaliation and Personal Information Leak: Frustrated with KT regaining control of Doxbin, SigmA dumped the site’s entire user database, compromising around 3,000 accounts. This action backfired as it led to the leaking of SigmA’s own password, which contained elements of his real name. KT and allies then retaliated by hacking into several of SigmA’s accounts and releasing a comprehensive dox that revealed extensive personal information about SigmA and his family

Early Involvement in Cyber Activities: SigmA’s journey in the cyber world began with an obsession with Minecraft servers and evolved to engaging with communities involved in selling/trading zero-day exploits. Over time, SigmA accumulated substantial wealth, reportedly over 300BTC (approximately $14 million USD). Before joining LAPSUS$, SigmA co-founded a group called “Infinity Recursion,” which later became defunct

Legal Actions and Arrest: In March 2022, the City of London Police arrested seven teenagers in connection with the activities of LAPSUS$. SigmA was among those arrested. This arrest coincided with a brief hiatus announced on the LAPSUS$ Telegram channel. SigmA was reportedly re-arrested and charged with cyber offenses in early April, with bail conditions likely restricting his internet access

Potential Risks and Future Activity: Despite the legal challenges and restrictions, there remains a possibility that SigmA might return to cyber activities, considering his past decisions and underestimation of operational security risks

These details about SigmA provide insight into the complex and often tumultuous world of cybercrime, highlighting the significant capabilities and risks faced by young individuals deeply involved in such activities.

It’s important to note that due to the nature of cybercriminal activities and the anonymity often maintained by such groups, complete and verified information about all members of LAPSUS$ is not publicly available. Some of the details, such as real names or complete biographies, may not be disclosed due to legal reasons, especially when involving minors.

LAPSUS$ Evolution into Cells and Scattered Spider:

The LAPSUS$ cybercrime group’s journey marks a significant evolution from a singular, unified entity to a more complex, cell-based structure, reflecting a strategic shift in their operational tactics and organizational dynamics. This transformation holds profound implications for their operational activities, effectiveness, and the resultant challenges posed to law enforcement and cybersecurity professionals.

In its early stages, LAPSUS$ operated as a cohesive unit. The group’s approach was characterized by conducting high-profile breaches and data leaks, functioning as a single, unified entity. This mode of operation enabled them to effectively coordinate large-scale attacks and share resources, maximizing their impact and reach. Central to their operations was the use of both public and private Telegram channels, which served as vital communication, planning, and data dissemination hubs. This centralized communication system was instrumental in maintaining a streamlined mode of operation, which played a key role in their initial successes and notoriety.

However, as the group matured and faced increasing detection risks and security challenges, LAPSUS$ began transitioning towards a more decentralized, cell-based structure. This strategic shift enabled the emergence of smaller, independent groups, or ‘cells’, each operating under the broader umbrella of LAPSUS$. This decentralization meant that each cell functioned autonomously, focusing on specific targets or regions, and specializing in particular types of cyberattacks. This autonomy allowed them to adapt to vulnerabilities in specific industries or technologies, enhancing the group’s overall versatility and effectiveness.

The cell-based approach offered several advantages. Firstly, it provided increased agility, enabling the cells to quickly adapt to changing situations, deploy diverse tactics, and target a broader range of victims without the need for centralized approval or coordination. Secondly, the decentralized structure significantly bolstered operational security. It became more challenging for law enforcement agencies to track and dismantle the entire network, as the capture or disruption of one cell did not significantly impact the others. Finally, despite operating independently, these cells still had the capability to share tools, techniques, and information, thus enhancing the collective capabilities of LAPSUS$.

In essence, the evolution of LAPSUS$ into a cell-based structure reflects the group’s adaptability and resilience in the face of growing scrutiny and law enforcement efforts. This transformation underscores the need for dynamic and flexible approaches in cybersecurity to counter such decentralized and complex cyber threats.

The LAPSUS$ group’s evolution into a more sophisticated, cell-based structure necessitates a nuanced and multi-layered approach to cybersecurity. Organizations must recalibrate their defensive strategies to address the diverse tactics and targets employed by the different cells of LAPSUS$. Here’s a prose summary followed by a set of bullet points outlining key protection strategies:

As LAPSUS$ has transformed into a decentralized entity, characterized by autonomous cells with specific focus areas, it becomes imperative for organizations to adopt a comprehensive and dynamic cybersecurity strategy. This strategy should be agile enough to respond to the changing tactics of LAPSUS$ while being robust in safeguarding against a wide spectrum of cyber threats.

The decentralized nature of LAPSUS$ means that traditional cybersecurity measures might not be sufficient. Organizations need to think beyond standard protocols and implement a suite of advanced defensive measures. This involves not only bolstering their technological defenses but also cultivating a culture of cybersecurity awareness among employees. Given that LAPSUS$ employs a variety of attack vectors, from sophisticated malware to social engineering, an all-encompassing approach to security is crucial.

Protection Strategies:

Enhanced Employee Training: Regular and comprehensive training sessions for employees to recognize and respond to social engineering attacks, phishing attempts, and other forms of cyber threats.

Robust Multi-Factor Authentication (MFA): Implementing strong MFA protocols to prevent unauthorized access, even when login credentials are compromised.

Advanced Threat Detection Systems: Deploying cutting-edge threat detection and response systems that can identify and mitigate sophisticated cyber attacks in real-time.

Regular Security Audits and Updates: Conducting periodic security audits to identify vulnerabilities and ensuring that all software and systems are up-to-date with the latest security patches.

Incident Response Planning: Developing a comprehensive incident response plan to quickly and effectively address any security breaches or data leaks.

Network Segmentation: Dividing the network into segments to contain breaches in one part and prevent them from spreading across the network.

Enhanced Monitoring of Suspicious Activities: Implementing stringent monitoring protocols to detect any unusual activities within the network that could indicate a breach.

Collaboration with Cybersecurity Experts: Engaging with cybersecurity experts and threat intelligence services for insights into the latest threats and defense mechanisms.

By implementing these strategies, organizations can significantly enhance their defenses against the complex and evolving threats posed by groups like LAPSUS$. This proactive and comprehensive approach to cybersecurity is key in the current landscape where cyber threats are becoming increasingly sophisticated and varied.

Technical Report: Tactics and Techniques:

Regarding the specific malware hashes used by Scattered Spider (formerly known as LAPSUS$), the detailed hashes or indicators were not explicitly provided in the sources I accessed. The available information mainly discusses the types of malware used by the group, such as AveMaria (WarZone), Raccoon Stealer, and VIDAR Stealer, and their general applications like enabling remote access, stealing login credentials, browser history, cookies, and other data

For threat hunting and identifying activities related to LAPSUS$ aka Scattered Spider, organizations should focus on recognizing patterns consistent with the group’s known tactics, techniques, and procedures (TTPs), such as the use of living off the land techniques, leveraging allowlisted applications, modifying TTPs frequently, and specific malware types mentioned. However, without the specific malware hashes or unique indicators, this effort relies heavily on behavioral detection and analysis, rather than signature-based detection.

LAPSUS$ aka Scattered Spider is a sophisticated cybercriminal group known for targeting large companies and their contracted IT help desks. The group is notorious for its versatile tactics, techniques, and procedures (TTPs), which include a range of sophisticated cyber operations.

Data Theft and Ransomware: Scattered Spider has been actively involved in data theft for extortion purposes. They are also known for employing BlackCat/ALPHV ransomware in their attacks, indicating their capability in both data exfiltration and ransomware deployment.

Remote Monitoring and Management Tools: The group uses tools such as Fleetdeck.io and Level.io, which enable remote monitoring and management of systems. These tools allow them to gain extensive control and visibility within the victim’s network

Credential Phishing and Social Engineering: Scattered Spider adeptly uses credential phishing combined with social engineering. They target one-time-password (OTP) codes and exploit multifactor authentication (MFA) systems through notification fatigue tactics, thereby bypassing security measures that rely on OTPs or MFA

Sophisticated Infiltration Techniques: Their operations include social engineering of help-desk employees, identity as-a-service (IDaaS) cross-tenant impersonation, and file enumeration. These techniques illustrate their ability to manipulate human elements and infiltrate complex network systems

Encryption and Stealth Communication: The FBI observed that LAPSUS$ aka Scattered Spider encrypts exfiltrated files and communicates with targets using various secure methods, such as TOR, tox, email, or encrypted applications. This approach highlights their focus on maintaining operational security and avoiding detection

The varied and sophisticated TTPs of LAPSUS$ aka Scattered Spider demonstrate their capability to conduct complex and multi-faceted cyberattacks. Their use of a mix of technical tools and social engineering tactics, combined with stealth communication methods, makes them a formidable threat in the cyber threat landscape.

LAPSUS$ is noted for its relatively unsophisticated but effective tactics, primarily leveraging social engineering methods such as phishing and insider recruitment.
They’ve used multi-factor authentication (MFA) fatigue tactics, repeatedly sending MFA requests to wear down targets and gain unauthorized access.
The group also employed information-stealing malware, particularly RedLine, to collect credentials and sensitive data from targeted organizations

Social Engineering Prowess:

A critical aspect of their approach is effective social engineering, including vishing, smishing, and spearphishing to gather credentials and sensitive information. They’ve been known to contact victim organizations’ help desks to reset accounts or gather information, and even impersonate help desks to urge employees to accept MFA requests

Use of RedLine Infostealer:

RedLine, a malware first observed in 2020, has been a tool in LAPSUS$ aka Scattered Spider’s arsenal. Distributed mainly through social engineering, RedLine can steal a wide range of data, including credentials, session cookies, credit card data, and cryptocurrency information. The malware’s accessibility and low technical barrier for use highlight LAPSUS$’s operational style

LAPSUS$ aka Scattered Spider, a known cybercriminal group, employs various malware in their operations. Here are some known malware hashes associated with Scattered Spider: