Microsoft has recently been chasing a hacker group ‘Lapsus (Lapsus $), which has been hacking several Global IT companies in recent months. Microsoft is also drilling to the rapist, search engine bing, artificial intelligence secretar Cotana, and the shawnest, which is a good reimbursement, as long as it is devoted to the Cotana Source Code.
When Microsoft gathered information so far, WrapRes showed a pattern of data effluent and greater accounting of data effluent and greater accounting of higher authority after internal reconnaissance.
In this process, we copied the social engineering to expose the attack destination to expose sensitive information, copying the cell phone with the target of the subject, and took the right of the target, the SIM swapping, such as the personal email hacking of the personal email hacking. In addition, it also shows that the company has achieved the process of recognizing the accident and discussing the countermeasures, and it also seemed to have a dense tactics that set up intimidation for victims.
■ MS “Recently, During Labors Tracking… Social Engineering Focusing Using”
Microsoft has released a “strategy” strategy and procedure (TTP) ‘of a lapus’ strategy (TTP) of Labors, which is grasped by its threat intelligence center (MSTic) through blogs on the 22nd (local time).
Lapters is a new hacker group that has a global large IT enterprise, such as NVIDIA, Samsung Electronics, LG Electronics, Microsoft, and Octa. Samsung Electronics hacked Galaxy source code from 190GB, and LG Electronics took about 90,000 employees email accounts and passwords. In addition, it invades the NVIDIA system to steal confidential data 1TB, including GPU circuitry, and has been holding the CONNATA SOWCO code from Microsoft.
There are not many known facts about lap states. The fact that you do not deploy the Ransomware, deodorizes the data purely, and initially started attacking the United Kingdom and South America, but now it has expanded its global target, but the other hacker group It is a feature that it is known that the effort to hide is not much, but it is not much to utilize social media.
The release of the TTP of Wraprisus is the first time Microsoft’s posting is the first time. According to the blog, the Microsoft Security Team has been actively tracking the “large-scale social engineering hacking and evil” acts in recent weekly WrapSs.
Tracking Social Engineering Using Mobile Phones ▲ SIM Swap for Account Deodoration ▲ Corporate Email Accounts for Attack Target Enterprise Email Accounts ▲ Credentials and Partnerships and Partners I have confirmed that it was used as a tactical tactics.
Especially, it is Microsoft’s analysis that LapSswes are making social engineering intensive efforts. “To collect operational information of a targeted company, we used employee, team structure, helpdesk, crisis response workflow, supply chain relationship, and so on.
For example, they also used a corporate helpdesk to reset their accounts, which showed that English is a native sender called caller, and a dense to obtain confidence in reciting the profile information that is collected in advance.
Microsoft said, “They have gained high access through the stolen account, took high access, deodorize the data, and evolve the data.” It shows that it is a crime. “
■ Step 1 Securing the initial approach
Microsoft said, “The attacker’s TTP and the infrastructure are constantly evolving,”, “and the TTP set observed to date.
These are the first attempt to corrupt the user ID to secure the authority to access the target company first.
Wraplites ▲ Malicious code for stealing passwords and session tokens ‘Red Line Stiller’ Deployment ▲ Distributed Creek in the underground Crime Forum ▲ Credentials or suppliers, and business partner employees, and Credential acquisition and MFA Approval ▲ A compromised account has secured a damaged account through a method such as leaked credential search.
When MFA security is used, the user was encouraged to agree to the MFA request through spam messages.
In some cases, I found additional credentials that can be used to hack personal email accounts for users (not related to work) and access corporate systems. Generally, it used that personal email was used for secondary authentication or password recovery.
In addition, a SIM swapping attack was also performed to access the user’s mobile. SIM swapping was able to pass through the certification that was done by mobile.
After obtaining the access right, the attacker’s system was connected to the corporate virtual company (VPN). In some cases, the system was registered or subscribed to the AD to meet the conditional access requirements.
■ 2-step reconnaissance and permissions rising
They use damaged accounts to obtain access to corporate networks, and after using multiple tactics to find additional credentials or intrusion points to expand access permissions.
They used ‘AD Explorer’ to look at all users and groups on the network, and verify that some accounts have higher rights.
Then, convulance, Zira, and the vulnerability of the flares for the right to rise.
In some cases, a help desk was used to reset accounts. “The first street that you lived is the first street” I have a lot of information on the Mother’s Marriage “account recovery, and took a lot of information on the recovery, and took a call to the helpdesk, and earn credibility and raise account rights. This tactic is that it is especially the explanation of Microsoft if the organization has given the ability to enhance authority to Help Desk staff.
■ Three-step leaks and rings
According to Microsoft, Wraplins operates a dedicated infrastructure in a virtual private server (VPS) vendor and utilizes node VPN as an ignore (traffic external to the server) points. In addition, it also conscious of detections such as ‘impossible travel’ that AD performs ‘impossible travel’, and also confirmed that geographically selected VPN exit points similar to attack targets. After this stomach, the sensitive data was downloaded to a VPN or a system connected to an AD.
In the outflow and evaluation stage, the noticeable act is that the business is watching the accident and watching the accident. Wraplospers saw the company’s crisis communication calls, internal bulletin boards (slack, teams, conference calls, etc.).
“To understand the workflow of the company ‘s accident response workflow, the attackers have grasped the location of the company for the infringement of the covenant ▲ ▲ ▲ the company’s perception of the accident ▲ to the accident ▲,” Microsoft said, “Microsoft explained.
Lapris has also demanded the stolen data to the hostage, and it also released stolen data publicly without money.
What is the corresponding method? “Simple MFA or phone certification is avoided”
Microsoft has also presented a way to prevent damage to the attack tactics of the lapus.
First, we recommended that “apply MFA for all infrastructure, including a trusted environment,” all infrastructure. “We have to use a FIDO token or a MS anxcentic cater, such as a more secure implementation, and have a SIM swapping risk, so the phone-based MFA method should be avoided.”
“Using an AD password protection, use a password that can be easily guessed, and use the password-free authentication method, such as Windows HEWELO, MS ancestry cater, and FIDO tokens, I had to reduce it. “
In addition, do not use a weak MFA element, such as a “text message (vulnerable to SIM swapping), simple voice approval, simple push, and subsidiary email addresses, but do not allow credentials or MFA elements sharing.”