Who is recruiting your employees? If it is only a competitor wanting to hire someone away from your company, you might be one of the lucky ones.
A malicious group known as LAPSUS$ is actively recruiting employees, partners or vendors to provide legitimate access to companies’ networks through a VPN or a remote desktop application. The recruiting notices are distributed via social media platforms.
More than 45,000 followers subscribe to LAPSUS$’s Telegram channel, which shows the level of interest in the recruitment offers.
A New Modus Operandi For Cyberattackers
LAPSUS$ came to cybersecurity experts’ attention toward the end of 2021 when the group made an extortion demand on Brazil’s Ministry of Health. LAPSUS$ is known to use ransomware to encrypt an organization’s data and hold it for ransom. The group may further extort the victim by demanding money in exchange for not publicly exposing stolen data.
As a recent target of one of the group’s attacks, Microsoft researchers published what they learned about the group. They mentioned that “DEV-0537 advertised that they wanted to buy credentials for their targets to entice employees or contractors to take part in its operation” and that “for a fee, the willing accomplice must provide their credentials” to enable the takeover of a legitimate account.
The fact that LAPSUS$ is apparently successful in recruiting insiders for their nefarious activities should be concerning for CISOs everywhere. The attackers gain access to a real user’s credentials as well as the means to access victims’ systems through an official VPN or remote desktop interface. This gives the bad actors the appearance of legitimacy in corporate systems.
Why Insider Attacks Are Notoriously Hard To Detect
Insider threats have been on the rise for years, increasing by 47% between 2018 and 2020. In fact, over 20% of security incidents are attributed to insiders. Such attacks are often more costly because an insider is able to linger on a network longer without raising suspicions and the identity has preapproved access to private information.
In many ways, catching the malicious insider is more challenging than keeping the malicious outsider out. Companies traditionally have focused more on deploying security tools that are designed to detect threats at the perimeter, or what’s left of it.
What can stop the attack? An insider is already past a perimeter firewall or intrusion detection system. An identity management system sees the credentials as legitimate. A data loss prevention tool might stop data exfiltration but not encryption by ransomware. Unfortunately, these types of security tools do little to stop the person who has already gained legitimate access to the network and its resources.
An insider attack is largely defined by the abuse of privileges to perform some act that the person isn’t entitled to do. It’s a matter of misbehavior on a scale that is damaging to the organization. Thus, the way to catch a malicious insider is to watch for and analyze irregular behaviors. This can be done through personal observations as well as with technology.
Factors That Make Employees Go Rogue
People don’t show up for work one day and suddenly decide to sabotage or steal from their employer. The Cybersecurity and Infrastructure Security Agency (CISA) points out that employees who commit or participate in an insider attack typically show personal indicators that they are under some sort of stress factor, such as having large debts or having a grievance against their company, perhaps because of being overlooked for a promotion they were expecting.
That stressed or disgruntled worker may see the LAPSUS$ opportunity as the perfect way to get quick money or inflict payback on their employer without getting deeply involved.
Tools To Address Insider Threats
Companies deploy cybersecurity technologies based on their perceived risks. Insider threats using legitimate credentials and permissions must be taken into consideration. There are several tools and techniques to consider that can help.
Identity And Access Management
Identity and access management (IAM) is a framework of policies and technologies that manage user identities—and a user can be a person, a device or a service—and restrict access to only those systems and resources needed to perform a job. IAM won’t necessarily prevent an inside attacker from getting to some resources, but it can lock the bad actor out from restricted areas.
Privileged Access Management
Privileged access management (PAM) is a tool that monitors the actions of users with high privileges on the network, such as network administrators and other IT professionals. Attackers that use stolen (or purchased) credentials prefer using privileged accounts because of the access levels they have. PAM looks for abuse of these privileges if the account attempts to do something that’s not permitted.
User And Entity Behavior Analytics
A user and entity behavior analytics (UEBA) security tool gathers information on every user and entity/device of the network and funnels it into a large data lake. This includes every activity performed, such as logging in, opening a file, accessing a directory, copying information to an external drive, printing information, going into an application and so on. These types of activities, taken over a length of time, comprise a common baseline of what a specific user identity does on a daily basis.
All these data points are fed into a machine learning system to analyze the data for subtle differences, or anomalies. For example, a user identity might attempt to access an application or data that it has never accessed before. This different activity leads to further analysis to determine the level of risk it might pose. The UEBA system uses machine learning techniques such as clustering, outlier analysis and peer analysis to see if the suspicious activity truly stands out from normal benign activity. If so, an alert is raised to prompt attention to the matter and/or execute an automated response.
LAPSUS$ upped the ante on insider attacks. Now organizations need to rethink their approach to preventing, detecting and shutting them down.
- Karlston
- 1
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.