# Detailed Analysis of LAPSUS$ Cybercriminal Group that has Compromised Nvidia, Microsoft, Okta, and Globant **cloudsek.com/profile-lapsus-cybercriminal-group/** anirudh.batra April 4, 2022 **Source: A1** **Industry: IT & Technology** **Region: USA** **Category: Adversary Intelligence** ## Executive Summary **Update: Lapsus$ ransomware group’s recent target is IT and software giant Globant. This article has been updated with the** **analysis of the attack on Globant, which came to light on 30 March 2022.** [CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post on Telegram, sharing the Nvidia employee credentials,](https://cloudsek.com/) Samsung’s Source code along with that the latest addition to those already high profile targets are Microsoft’s Cortana and Bing’s Source code and Okta the SSO giant’s customer data was exfiltrated. ----- apsus$ a so a e ga g c a ed to a e co p o sed d a a d o ta gets Sa su g t t e b eac u t e c a g to a e gained access to source code used in Samsung Galaxy smartphones, Okta’s Customer data etc. The ransomware gang leaked source code, dehashed credentials, code signing certificates and source code to the driver. The leaked data unlocks the potential for threat actors to gain unauthorized access to personal, proprietary, and Intellectual Property (IP) data of Nvidia and they have also leaked 90% source code of Bing Maps, Bing and Cortana claiming to be at 45%. While writing this report, we have discovered that PII (Personally Identifiable Information) or dox Information related to the Lapsus$ ransomware gang was released at a Russian language cybercrime forum. _This screenshot was posted on the telegram group and while analyzing closely we can see that they have access to Jira, Slack, G-Suite and_ _other internal applications as well. RDP access is being used in the screenshot_ ## Analysis and Attribution **Information from the Telegram** On 22nd March, 2022 the group claimed to leak Bing Maps, Bing and Cortana source code. Our threat Intelligence team has confirmed that [these claims are true, shortly after there were official blogs from Microsoft and](https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/) [Okta confirming the breach.](https://www.okta.com/blog/2022/03/updated-okta-statement-on-lapsus/) _Leaked Information shared on Telegram Channels_ **Original Perpetrators of Breach** The LAPSUS$ cyber-criminal group has been known to exploit the weakest link in the security chain of a corporate network: Human mistakes **and bad practices.** **They achieve initial access using the following tactics:** [Redline Malware stealer logs, which can be understood here](https://www.xvigil.com/underground-intelligence/details?identifier=Z2xvYmFsLXRocmVhdC1pbnRlbCN5ZUktVDM4QkExVjVOUGVqYzFxRA&nav_search=WyJjYXRlZ29yeT0xJnNlYXJjaD1yZWRsaW5lJnBhZ2U9Z3RpX2xpc3QmaW5kZXhfbm89MCJd) ----- opu a a et p aces e a gos, uss a a et to get ogs, c ede t a s a d sess o to e s to get access They are known to pay insiders to provide them with VPN, VDI(citrix), Identity providers and even RDP access Lapsus Recruitment Post Publicly available secrets on github/gitlab repositories **The next steps involve Privilege escalation and Post Exploitation:** Exploiting existing vulnerabilities which include unpatched versions of Jira, confluence, Fortiguard, Microsoft exchange servers etc.. We have created a list of curated vulnerabilities that they target Accessing version control systems and looking at private repositories to gain access to secrets and gems They also access mailboxes/collaboration software like slack to get access to credentials being shared in plain text. _They have highlighted the post-exploitation steps they took as a part of the_ _response to Okta’s latest blog._ **Microsoft Leak Analysis:** Microsoft in an official blog today has stated the following: ``` “This week, the actor made public claims that they had gained access to Microsoft and exfiltrated portions of source code. No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity. Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.” ``` The leak contains 56484 directories, 333743 files and the source code for Cortana, Bing Maps and Bing. The aggregate size of the data leaked is 37.8 GB. The leak also contains multiple sensitive endpoints like the one mentioned in the above screenshot. Similarly there are 135 .pfx files which are present in the leak A pfx file contains the SSL certificate(public key) and the corresponding private key These can in turn be used maliciously ----- e e a e docu e tat o es as e as te a pd es By looking at the files we can conclude the following: No customer data was affected No PII was leaked Source code along with certificates and pfx files were leaked The Lapsus$ group is not very strong with Operational Security as they posted a Proof of Concept in the Telegram channel while the exfiltration was still underway **Okta Breach Analysis:** Okta has also released a statement earlier in the form of a blog stating: ``` “Okta detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider. As part of our regular procedures, we alerted the provider to the situation, while simultaneously terminating the user’s active Okta sessions and suspending the individual’s account. Following those actions, we shared pertinent information (including suspicious IP addresses) to supplement their investigation, which was supported by a third-party forensics firm.” “After a thorough analysis of these claims, we have concluded that a small percentage of customers – approximately 2.5% – have potentially been impacted and whose data may have been viewed or acted upon. We have identified those customers and are contacting them directly. If you are an Okta customer and were impacted, we have already reached out directly by email. We are sharing this interim update, consistent with our values of customer success, integrity, and transparency” ``` In response to the above statement, Lapsus$ group has also released a message which can be summarized in the following points: They were successful in breaching a Superuser/Admin account that had access to Slack, Jira, Confluence boards etc .. ----- t s susp c ous t at t e custo e suppo t e g ee ad access to 8 6 s ac c a e s a d te a app cat o s They had access to internal AWS secret and key pairs/ other API keys as they were being shared in plain text over Slack and emails The breached account had the ability to reset the Password and MFA of ~95% of their clientele _The screenshot was shared by Lapsus as a POC claiming they had access to Slack and other applications._ **Globant Leak Analysis:** Globant in an official confirmation has not contested the claim of Lapsus$. Globant released the following statement: “We have recently detected that a limited section of our company’s code repository has been subject to unauthorized access. We have activated our security protocols and are conducting an exhaustive investigation. According to our current analysis, the information that was accessed was limited to certain source code and project-related documentation for a very limited number of clients. To date, we have not found any evidence that other areas of our infrastructure systems or those of our clients were affected” The 70 GB data leak contains public and private keys (SSH and SSL) present in the leak asa part of their source code. It consists of the following information for a number of their clients: ----- Credential files leaked: Sensitive information and PII leaked: SQL files leaked: **Information from the Cyber Crime forum** Lapsus Ransomware group emerged in early January 2022. The group is actively operating over their Telegram channel and engages with subscribers. They keep their subscribers updated on their upcoming data breaches and host polls. Recently, we came across a post on a Russian speaking cybercrime forum that mentioned PII as the operator of the Lapsus$ group. ----- e do ed o at o s o s a ot o pe so a o at o Name: Arion Kurtaj Interests: Minecraft, Fishing, selling 0days Age: 16 years Potential Address: Spain Nationality: British DOB: February 19th, 2005 Personal Emails: [[email protected],](https://cloudsek.com/cdn-cgi/l/email-protection#6f0e0108030601080b061d0a0c1b2f1f1d001b0001020e0603410c0002) [[email protected],](https://cloudsek.com/cdn-cgi/l/email-protection#7c1e0e191d1f141e1d0f193c0c0e13081312111d1510521f1311) [[email protected],](https://cloudsek.com/cdn-cgi/l/email-protection#4622293e242f28312e2f3223063634293229282b272f2a6825292b) [[email protected],](https://cloudsek.com/cdn-cgi/l/email-protection#ea8b98838584819f989e8b809e8b88aa8d878b8386c4898587) [[email protected],](https://cloudsek.com/cdn-cgi/l/email-protection#fb9a89929495908e898f9a919c9a9692959cbb948e8f97949490d5989496) [[email protected],](https://cloudsek.com/cdn-cgi/l/email-protection#ea8b98838584819f989e8b809a8285848faa8d878b8386c4898587) [[email protected],](https://cloudsek.com/cdn-cgi/l/email-protection#d7b6a5beb8b9bca2a5a3b6bde4e5e697b0bab6bebbf9b4b8ba) [[email protected],](https://cloudsek.com/cdn-cgi/l/email-protection#0362716a6c6d687671776269323a333143646e626a6f2d606c6e) [[email protected]](https://cloudsek.com/cdn-cgi/l/email-protection#0a6b78636564617f787e6b60657d646b6d6f6265797e63646d4a6d676b636624696567) Aliases: ## Common Vulnerabilities and Exposures(CVE) Lapsus$ gang previously targeted an organization in Nepal and an investigation blog was published for the same mentioning the targeted CVEs. **CVEs targeted by Lapsus$** CVE-2022-21702: XSS vulnerability in Grafana CVE-2022-0510: XSS reflected in Packagist pimcore/pimcore prior to 10.3.1. CVE-2022-0139: Use After Free in GitHub repository radareorg/radare2 prior to 5.6.0 CVE-2021-45327: Trusting HTTP Permission Methods on the Server Side when referencing the vulnerable admin or user API CVE-2021-45325: SSRF vulneraility exists in Gitea before 1.7.0 using the OpenID URL CVE-2021-44956: Two Heap based buffer overflow vulnerabilities exist in ffjpeg through 01.01.2021 CVE-2021-34473: Microsoft Exchange Server Remote Code Execution Vulnerability CVE-2021-26858: Microsoft Exchange Server Remote Code Execution Vulnerability CVE-2021-26855: Microsoft Exchange Server Remote Code Execution Vulnerability CVE-2020-23705: A global buffer overflow vulnerability through 2020-0622 CVE-2021-45328: URL Redirection to Untrusted Site (‘Open Redirect’) via internal URLs CVE-2021-45326: CSRF vulnerability exists in Gitea before 1.5.2 via API routes CVE-2021-44957: Global buffer overflow vulnerability exist in ffjpeg through 01.01.2021 CVE-2021-44864: TP-Link WR886N 3.0 1.0.1 Build 150127 Rel.34123n is vulnerable to Buffer Overflow CVE-2021-31207: Microsoft Exchange Server Security Feature Bypass Vulnerability CVE-2021-26857: Microsoft Exchange Server Remote Code Execution Vulnerability CVE-2020-23852: A heap based buffer overflow vulnerability exists in ffjpeg through 2020-07-02 CVE-2020-12812: An improper authentication vulnerability in SSL VPN in FortiOS CVE-2019-5591: A Default Configuration vulnerability in FortiOS CVE-2018-13379: An Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) in Fortinet ## Indicators of Compromise (IoCs) Nvidia was targeted by Lapsus$ group last month. Subsequently, earlier this month, malware samples began to appear in the wild, signed with Nvidia certificates. Some of these samples have got very low detection on VirusTotal because of the legitimate certificates attached, and hence could pose a threat. Following are the malware samples signed with stolen certificates: **SHA256** ----- 0e1638b37df11845253ee8b2188fdb199abe06bb768220c25c30e6a8ef4f9dee 9d123f8ca1a24ba215deb9968483d40b5d7a69feee7342562407 065077fa74c211adf9563f00e57b5daf9594e72cea15b1c470d41b756c3b87e1 bcb1d8872831e54a3989d283bcd27560cc12f54f831874162a80 07ffa010ee48af8671fe74245bdfb54d9267aef748d9dc1fc8ca8df4966b871a 26683864b9c90e43de444ca09d5b2806c26dd9402c2010d0799 a7c3ce181e5c3956bb6b9b92e862b6fea6d6d3be1a38321ebb84428dde127677 36fec39a0f826fccca47e1997239c510ba93861faadbe82920532 0210a766da3e6d0cecbf166437a254c8ad6b380b077355a027fd0b7e3c2ccc9f 939294c6593f8339609c4db3b4861289c0612851f1ff43573c03a 2f578cb0d97498b3482876c2f356035e3365e2c492e10513ff4e4159eebc44b8 **IPv4** 185.56.83.40 139.162.22.146 172.105.209.6 54.203.159.179 **Domain** lapsus-group.com [[email protected]](https://cloudsek.com/cdn-cgi/l/email-protection) ## Impact & Mitigation **Impact** **Mitigation** The published credentials could enable other threat actors to gain access to the organization’s networks. The exposed Personally Identifiable Information (PII) could enable threat actors to orchestrate social engineering schemes, phishing attacks, and even identity theft. Since password reuse is a common practice, threat actors could leverage the exposed credentials to gain access to the users’ other accounts. Exposed IP addresses and login credentials can lead to potential account takeovers.The exposed confidential details could reveal business practices and intellectual property. ## Appendix _Leaked Nvidia Drivers information shared by threat actor_ Reset the compromised user login credentials and Implement a strong password policy for all user accounts. Check for possible workarounds and patches while keeping the ports open. Use MFA (multi-factor authentication) across logins.Patch all vulnerable and exploitable endpoints. Monitor for anomalies, in user accounts and systems, that could be indicators of possible takeovers. ----- _Leaked Microsoft internal source code_ -----