On August 10, 2023, the Cyber Safety Review Board publicly released a critical report detailing cyberattacks perpetrated by Lapsus$ and related threat groups.
The report came approximately a year and a half after Microsoft first warned about the advanced persistent threat group they initially dubbed DEV-0537 and later came to call Strawberry Tempest.
Run by teenagers from their parent's homes, Lapsus$ successfully targeted high-profile organizations worldwide from late 2021 to 2022.
The group focused on extortion, exploiting systemic vulnerabilities in cybersecurity ecosystems to steal source code and disrupt operations.
Their activities underline the fragility of global digital infrastructures, as they not only exploited existing weaknesses but essentially laid out a playbook for other cybercriminals to follow.
Though they operated amid other criminal groups employing similar methods, Lapsus$ stood out for its effective use of social engineering and supply chain vulnerabilities to gain access to their targets, particularly for using their victim's corporate communications like Microsoft Teams and Slack to harass and extort them.
When Microsoft first rang the alarm bells about Lapsus$, they detailed how the group infiltrated their targets' communications on tools such as Slack, Teams and conference calls, monitoring an organization's incident response strategy to gain an unprecedented advantage.
Fast forward a year and a half, and now the CSRB has released its comprehensive report on this elusive enemy, confirming and expanding upon Microsoft's warnings.
On a timeline, everything to the right of it is the response after an incident has occurred.
As Lapsus$'s attacks have shown, out-of-band communications plans should extend to left-of-bang preparation, too - meaning, don't just have a plan in place to ensure communications are protected once you're responding to an attack, but also consider which communications you wouldn't want the attackers to see while they're still surveilling your organization undetected.
An IBM report in 2023 revealed that it takes over 200 days to identify a breach.
Since the advent of the cloud, enterprise software vendors have pushed clients to consolidate office functions under one vendor, but just because Microsoft says to use O365 for all communications doesn't mean it's to your advantage to do so.
Keeping all communications in one place has real security implications once you consider what an attacker wants once on the inside: Credentials/passwords/API keys, internal procedures, vulnerability information and a whole lot more.
Security operations, DevSecOps, and threat intel-sharing communications are potential gold mines for threat actors seeking to continue or perpetuate an attack.
In part two of this series, we will explore solutions to protect communications before and after an attack.
This Cyber News was published on securityboulevard.com. Publication date: Tue, 16 Jan 2024 14:43:11 +0000