{
	"id": "dcaceb07-6b12-4c35-8c7c-e351df37a1fa",
	"created_at": "2026-04-06T00:22:23.567844Z",
	"updated_at": "2026-04-10T13:11:36.960183Z",
	"deleted_at": null,
	"sha1_hash": "99c3eb5e9096d9e7356b6d47730f81b4d7eec0df",
	"title": "Everything We Learned From the LAPSUS$ Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 108319,
	"plain_text": "Everything We Learned From the LAPSUS$ Attacks\r\nBy The Hacker News\r\nPublished: 2022-05-12 · Archived: 2026-04-05 16:45:09 UTC\r\nIn recent months, a cybercriminal gang known as LAPSUS$ has claimed responsibility for a number of high-profile attacks against technology companies, including:\r\nT-Mobile (April 23, 2022)\r\nGlobant \r\nOkta\r\nUbisoft\r\nSamsung\r\nNvidia\r\nMicrosoft\r\nVodafone\r\nIn addition to these attacks, LAPSUS$ was also able to successfully launch a ransomware attack against the\r\nBrazilian Ministry of Health.\r\nWhile high-profile cyber-attacks are certainly nothing new, there are several things that make LAPSUS$ unique.\r\nThe alleged mastermind of these attacks and several other alleged accomplices were all teenagers.\r\nUnlike more traditional ransomware gangs, LAPSUS$ has a very strong social media presence.\r\nThe gang is best known for data exfiltration. It has stolen source code and other proprietary information\r\nand has often leaked this information on the Internet.\r\nhttps://thehackernews.com/2022/05/everything-we-learned-from-lapsus.html\r\nPage 1 of 3\n\nLAPSUS$ stolen credentials \r\nIn the case of Nvidia, for example, the attackers gained access to hundreds of gigabytes of proprietary data,\r\nincluding information about chips that the company is developing. Perhaps more disturbing; however, LAPSUS$\r\nclaims to have stolen the credentials of thousands of Nvidia employees. The exact number of credentials stolen is\r\nsomewhat unclear, with various tech news sites reporting differing numbers. However, Specops was able to obtain\r\napproximately 30,000 passwords that were compromised in the breach. \r\nThe rise of cyber extortion \r\nThere are two major takeaways from the LAPSUS$ attacks that organizations must pay attention to. First, the\r\nLAPSUS$ attacks clearly illustrate that gangs of cybercriminals are no longer content to perform run-of-the-mill\r\nransomware attacks. Rather than just encrypting data as has so often been done in the past, LAPSUS$ seems far\r\nmore focused on cyber extortion. LAPSUS$ gains access to an organization's most valuable intellectual property\r\nand threatens to leak that information unless a ransom is paid. \r\nA technology company could conceivably suffer irreparable harm by having its source code, product roadmap, or\r\nresearch and development data leaked, especially if that data were to be made available to competitors. \r\nEven though the LAPSUS$ attacks have thus far focused primarily on technology companies, any organization\r\ncould conceivably become a victim of such an attack. As such, all companies must carefully consider what they\r\ncan be doing to keep their most sensitive data out of the hands of cybercriminals.\r\nWeak passwords at play \r\nThe other important takeaway from the LAPSUS$ attacks was that while there is no definitive information about\r\nhow the attackers gained access to their victim's networks, the list of leaked Nvidia credentials that was acquired\r\nby Specops clearly reveals that many employees were using extremely weak passwords. Some of these passwords\r\nwere common words (welcome, password, September, etc.), which are extremely susceptible to dictionary attacks.\r\nMany other passwords included the company name as a part of the password (nvidia3d, mynvidia3d, etc.). At least\r\none employee even went so far as to use the word Nvidia as their password!\r\nWhile it is entirely possible that the attackers used an initial penetration method that was not based on the use of\r\nharvested credentials, it is far more likely that these weak credentials played a pivotal role in the attack.\r\nThis, of course, raises the question of what other companies can do to prevent their employees from using\r\nsimilarly weak passwords, making the organization vulnerable to attack. Setting up a password policy that\r\nrequires lengthy and complex passwords is a good start, but there is more that companies should be doing.\r\nProtecting your own organization from a similar attack \r\nOne key measure that organizations can use to prevent the use of weak passwords is to create a custom dictionary\r\nof words or phrases that are not permitted to be used as a part of the password. Remember that in the Nvidia\r\nattack, employees often used the word Nvidia either as their password or as a component of their password. A\r\ncustom dictionary could have been used to prevent any password from containing the word Nvidia. \r\nhttps://thehackernews.com/2022/05/everything-we-learned-from-lapsus.html\r\nPage 2 of 3\n\nAnother, even more important way that an organization can prevent the use of weak passwords is to create a\r\npolicy preventing users from using any password that is known to have been leaked. When a password is leaked,\r\nthat password is hashed and the hash is usually added to a database of password hashes. If an attacker acquires a\r\npassword hash they can simply compare the hash to the hash database, quickly revealing the password without\r\nhaving to perform a time-consuming brute force or dictionary-based crack.\r\nSpecops Password Policy gives admins the tools that they need in order to ensure that users avoid using weak\r\npasswords or passwords that are known to have been compromised. Specops makes it easy to create a password\r\npolicy that complies with common password standards, such as those defined by NIST. In addition to setting\r\nlength and complexity requirements, however, Specops allows admins to create dictionaries of words that are not\r\nto be used as a part of a password. Additionally, Specops maintains a database of billions of leaked passwords.\r\nUser's passwords can be automatically checked against this database, thereby preventing users from using a\r\npassword that is known to have been compromised. \r\nFound this article interesting? This article is a contributed piece from one of our valued partners. Follow us on\r\nGoogle News, Twitter and LinkedIn to read more exclusive content we post.\r\nSource: https://thehackernews.com/2022/05/everything-we-learned-from-lapsus.html\r\nhttps://thehackernews.com/2022/05/everything-we-learned-from-lapsus.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://thehackernews.com/2022/05/everything-we-learned-from-lapsus.html"
	],
	"report_names": [
		"everything-we-learned-from-lapsus.html"
	],
	"threat_actors": [
		{
			"id": "be5097b2-a70f-490f-8c06-250773692fae",
			"created_at": "2022-10-27T08:27:13.22631Z",
			"updated_at": "2026-04-10T02:00:05.311385Z",
			"deleted_at": null,
			"main_name": "LAPSUS$",
			"aliases": [
				"LAPSUS$",
				"DEV-0537",
				"Strawberry Tempest"
			],
			"source_name": "MITRE:LAPSUS$",
			"tools": [
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d4b9608d-af69-43bc-a08a-38167ac6306a",
			"created_at": "2023-01-06T13:46:39.335061Z",
			"updated_at": "2026-04-10T02:00:03.291149Z",
			"deleted_at": null,
			"main_name": "LAPSUS",
			"aliases": [
				"Lapsus",
				"LAPSUS$",
				"DEV-0537",
				"SLIPPY SPIDER",
				"Strawberry Tempest",
				"UNC3661"
			],
			"source_name": "MISPGALAXY:LAPSUS",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2347282d-6b88-4fbe-b816-16b156c285ac",
			"created_at": "2024-06-19T02:03:08.099397Z",
			"updated_at": "2026-04-10T02:00:03.663831Z",
			"deleted_at": null,
			"main_name": "GOLD RAINFOREST",
			"aliases": [
				"Lapsus$",
				"Slippy Spider ",
				"Strawberry Tempest "
			],
			"source_name": "Secureworks:GOLD RAINFOREST",
			"tools": [
				"Mimikatz"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b",
			"created_at": "2022-10-25T16:07:24.503878Z",
			"updated_at": "2026-04-10T02:00:05.014316Z",
			"deleted_at": null,
			"main_name": "Lapsus$",
			"aliases": [
				"DEV-0537",
				"G1004",
				"Slippy Spider",
				"Strawberry Tempest"
			],
			"source_name": "ETDA:Lapsus$",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434943,
	"ts_updated_at": 1775826696,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/99c3eb5e9096d9e7356b6d47730f81b4d7eec0df.pdf",
		"text": "https://archive.orkl.eu/99c3eb5e9096d9e7356b6d47730f81b4d7eec0df.txt",
		"img": "https://archive.orkl.eu/99c3eb5e9096d9e7356b6d47730f81b4d7eec0df.jpg"
	}
}