You may not have missed all the noises recently caused by Lapsus$, a group that seems to specialize in extortion without necessarily leveraging ransomware.
At first glance, Lapsus$ check marks all elements that would make researchers put them in the low priority threats, especially considering their readiness to make dramas and OpSec failures. Except that the group has successfully managed to significantly enrich its victim list with high profile corporations, thus drawing all our attention.
In the following, we will describe the threat actor profile that was drawn by our investigations based either on OSINT, dark web or infrastructure analysis.
High profile targets
Since the announcement of its first victim in December 2021, Lapsus$ has engaged in extortion attempts with at least 15 different entities.
Figure 1. Lapsus$’ victimology based on the group’s claims since December 2021
While initially focused on Brazilian government bodies, the group was recently targeting large technology, telecom, automotive and retail businesses around the world. Among its high-profile victims: Samsung, Nvidia Corporation and Vodafone.
The group recently announced a new victim on its Telegram channel, which is the authentication services provider Okta. Lapsus$ would have gained access in the company’s network on January, 21, if not earlier, and made its attack public on March 22. If confirmed, this incident may result in a very damaging software supply chain attack.
Despite some politicized statements (for example, a political message with curses to the Brazilian President Bolsonaro attackers left in one of their extortion letters), Lapsus$ argue they are only operating for financial gain purposes: “our only goal is money, we are not state sponsored and we are not in politics at all”.
Going further into their history
While Lapsus$ is currently claiming to only operate via Telegram (“we don’t have any other socials”), the group seems to have a connection to a threat actor named “4c3” who has been active on several cybercrime forums since at least May 2021. 4c3 started by selling a German company’s customer data on RaidForums and Exploit underground forums and then two months later, he made his first major victim – the gaming giant Electronic Arts (EA). The group represented by 4c3 had leaked large amounts of data (20-25 terabytes) concerning EA, but also source code.
The point is that 4c3 has already declared being part of the Lapsus$ group on July 20, 2021, while discussing the EA attack on the RaidForums hacking forum and he signed its very last publications on several cybercrime forums as follows: “Please note that this account won’t be used again. Remember our name. LAPSUS$”.
Figure 2. 4c3 leaking sensitive data related to Electronic Arts on a cybercrime forum
Thus, we can suppose that this group has moved from cybercrime forums to other methods of reaching out to the public and to the victims.
Another connecting element between the actors who compromised EA (with 4c3 as representative) and the Lapsus$ group: the Monero wallet address they communicate to victims. The ransom note sent to Electronic Arts which we were able to consult contained the address of this Monero wallet to be used for ransom payment: 42qLW1FiEDQKjeoSAFQRXaVpSUxB8fTYJ2Zeah8dcDTYDEjCb71iCR76ctGMysAB4nj3MTTCE5GuJMsC1eLuwKdu7v6FKf3.
This same address led us to another series of extortion attempts dated early August 2021 and signed Lapsus$. These extortion campaigns targeted the users and clients of the Lapsus$ victims, in order to put more pressure on them.
Figure 3. Possible targets of the Lapsus$ group
Leaks sharing and extortion strategy
In our knowledge, Lapsus$ used a website only once to claim its involvement in a campaign. For the vast majority of their operations, they rather chose to threaten their victims with the data leakage and share the related leaks on a Telegram channel they created in December 2021. The channel has at the time of writing more than 32400 subscribers.
Choosing to use Telegram rather than an onion website such as the majority of ransomware or extortion groups could be a smart approach since a Telegram channel is more easily reachable by the large public in comparison with a website requiring the use of TOR.
They also use this channel to add pressure on victims by sharing polls asking their community to vote for the next leak to be shared by the group.
Figure 4. Lapsus$ asking on their Telegram channel which company’s data to leak first
In parallel, they also created an open Telegram channel named “Lapsus$ chat” where every member (more than 8500 members currently) is invited to talk about various hacking topics.
Discussions in this chat are mainly kept in Portuguese. More recently, Russian-speaking participants have also joined the discussion. Moreover, this chat is also used as a platform to encourage cooperation between its members and serve as a recruitment mechanism between the chat members themselves, for various tasks related to upcoming cyber attacks.
Figure 5. Publications of different “Lapsus$ chat” Telegram channel members
Hence, It will not be surprising that abusing a legit service, such as Telegram, would become a trend towards which cybercriminals will tend in the future to threaten their victims with data disclosure.
For the first time since its existence, Тelegram became the most popular instant messenger in Russia in mid-March, being both a communication tool and one of the main sources of information (after Russia restricted the access to other social networks and messengers). Globally, Telegram is becoming increasingly popular among threat actors, competing with other messaging apps such as Discord.
The Lapsus$ group representative is actually communicating on its Telegram channel in both Portuguese and English. The Portuguese language was used in the Ministry of Health of Brazil’s defacement campaign. Nevertheless, there are indications that the group uses machine translation to communicate in Portuguese. According to a tweet by the group Anonymous Brazil, Lapsus$ would be formed by people of Spanish and Colombian nationality. This statement can not be validated at the moment.
Lapsus$, the art of self-doxing and first OpSec failures
Few months ago, Doxbin, a famous data-sharing website that includes huge amounts of personal information on both attackers and their victims, was sold to an individual under the nickname of “White”, who is/was allegedly a high ranked member of the Lapsus$ group, if not the leader. While things did not go as planned, White agreed to sell the website back to the previous owners.
Eventually, he got upset when the owners excluded him from the community Discord server. After some drama, White decided in revenge to leak the user database in plaintext.
Figure 6. Lapsus$ leaking the bin.sql database of Doxbin. The pinned message says that White, aka Alexander is not arrested and his Telegram account got deleted.
The biggest OpSec failure here is that White, aka Alexander, leaked the database that also includes its own personal information and passwords, which people quickly took advantage of.
Hence, the dox revealed that “White” aka Alexander, of the Lapsus$ group, was a 16 years-old boy native of Albania, living with his mother in the United Kingdom, where he was attending a specialized school.
Figure 7. Doxxing of White aka Alexander
While our investigations lead us to believe that it is highly likely that the dox content is truthful, it is expected that it will quickly lead the law enforcement to an arrest.
Figure 8. Doxbinwh1ite account looking to be recruited by ransomware groups like HelloKitty or REvil
Furthermore, we have reasons to think that Alexander aka White is also the owner of the account doxbinwh1ite on Exploit. In December 2021, this user was looking to be recruited by HelloKitty or REvil groups, arguing he owned access to companies such as LG, Samsung and EA Games. A victim list that accurately matches the companies that Lapsus$ announced to have breached.
This would lead us to think that while he didn’t succeed in joining these ransomware groups, he rather has chosen to use these accesses to build Lapsus$ reputation instead.
Drama and a proven immaturity
In the meantime, the threat actor is still exposing internal conflicts within the group, doxxing each other. In the message below, which was quickly deleted, Lapsus$ exposed the Telegram user @redeyeg0d, formerly a member of the group.
Figure 9. Lapsus$ explanation for not sharing yet the data to be leaked
While investigating the footprints of this user, we found a ransom note left following the encryption of a victim’s systems by a strain of Babuk ransomware. In the note, it was mentioned that 200 GB of data were exfiltrated and all the files were encrypted. At the end of the note, the victim is invited to contact @redeyeg0d on Telegram. Since only @redeyeg0d was mentioned in the ransom note, we can not bind the Lapsus$ group to this usage of Babuk ransomware, or any other ransomware.
Pretty bad OpSec we said?
Investigating Lapsus$ recent infrastructure, we surprisingly found that the IP address used as a C2 in a campaign resolves to a domain dubbed after the group’s name.
Hence, it appears that Lapsus$ used the associated website to claim for an attack where they allegedly encrypt the victim’s system with ransomware. This is the only mention that they may have used ransomware in a campaign.
Figure 10. Lapsus$ threatening one of their victims. In translation from Portuguese, the message reads “Hello. We are back […] Let’s explain a few things: our only goal is to get money, we don’t care about the Bolsonaro family […] a bunch of servers have been sent to the ‘dead data’ cemetery. The solution is to pay the ransom”
The same IP was on our SEKOIA.IO IOCs database, since it was used to host metasploit service on its default ssl port 3790, also using the default metasploit ssl certificate.
Figure 11. Enter the SSL port that the Metasploit service should use. By default, the server uses port 3790 for HTTPS.
Hence, the attacker has made no effort to change the basic configuration of the metasploit framework in a will to avoid detection.
Too big to be real?
Earlier this month, Lapsus$ shared another message on its Telegram before, once again, quickly deleting it.
In this message, they uploaded a picture to potentially claim being at the origin of a disruption on the bleepingcomputer website (which was not disrupted at that time), or announce a future attack on the target.
Figure 12. A picture uploaded by a Lapsus$ member on their telegram before quickly deleting it
By looking carefully at the bookmarked pages, we can see the threat actor bookmarked a GitHub account that includes links to metasploit framework, brute force modules and qbot scanner setup.
Figure 13. The bookmarked github account
Whether the bookmarked account belongs to a member of the Lapsus$ group is not clear, however this would not be the first OpSec failure known by the group.
Nevertheless talented kiddies
Despite all the drama and OpSec failures these investigations have revealed regarding Lapsus$ group, they undoubtedly are talented hackers who successfully managed to get into high profile victims. Unless an arrest comes to disrupt their operations and integrity as a group, Lapsus$ is a threat not to be underestimated.
Furthermore, at the moment, the group has not shown any desire to cease its activities. On March 10, Lapsus$ announced on its Telegram channel they were recruiting for employees/insiders working in the telecommunications, IT and Internet providers sectors. They specify that they are not looking for data but employees able to provide VPN or Citrix accesses. Which is consistent with the incidents we know of, where the favorite initial access leveraged by the group was spear phishing campaigns leading to valid accounts.
Figure 14. Lapsus$ insiders recruitment announcement
It would seem that the group’s appeal has already resulted in the compromise of a big corporation through an insider. According to the declarations of an alleged Lapsus$ member on March 22, 2022, the group has corrupted an employee of one of the world’s leading technology companies and this insider would be “the only person [they] paid”.
Fame and glory?
For the very recent victims announced by Lapsus$ group, there is no evidence that Lapsus$ have publicly threatened them to pay a ransom in order to keep their data safe from being shared, unlike previous victims. Thus driving us to question the real motivations of the group.
The analysis of their behavior highly clays for a willingness to prompt people to talk about the group, thus drawing the profile of individual(s) looking for fame and glory, as we have seen in the past with the LulzSec group for instance.
Exploit Public-Facing Application (T1190)
Valid Accounts: Local Accounts (T1078.003)
Valid Accounts: Cloud Accounts (T1078.004)
External Defacement (T1491.001)
Automated Exfiltration (T1020)