Despite using methods that are "bold, illogical, and poorly thought out, Lapsus$ has successfully breached companies like Microsoft, Vodafone and Nvidia. Credit: Cosmin4000 / Getty Images [Editor’s note: This article originally appeared on the CSO Germany website on July 29.] Claire Tills, senior research engineer at Tenable, describes the methods of the hacking group Lapsus$ as bold, illogical and poorly thought out. The criminals attacked renowned companies such as Microsoft, Samsung, Nvidia, Vodafone, Ubisoft and Okta. They stole data and sometimes used ransomware to extort their victims. How Lapsus$ became famous In contrast to other cybercriminal gangs, Lapsus$ organizes itself exclusively through a private Telegram group and does not operate a leak site on the dark web. As Tills wrote, the group has so far announced its next victims via Telegram. She also noted that Lapsus$ asked the community for suggestions as to which company data should be published next. Lapsus$ garnered a lot of attention for its unconventional tactics and unpredictable methods. Early this year, for example, it was involved in the multi-stage theft of data from computer systems of the customer service provider Sitel. This in turn led to a security incident at IAM provider Okta. According to Tills, the group then relied heavily on classic tactics such as Initial access via purchased or publicly accessible login databases Password theft Paying employees for their access data Bypassing multi-factor authentication by spamming submissions or contacting the helpdesk Access to applications such as VPNs, Microsoft SharePoint or virtual desktops to collect additional credentials and access sensitive information Elevating permissions by exploiting unpatched vulnerabilities in Jira, GitLab and Confluence Smuggling data out via NordVPN or free file drop services and then wiping resources Leverage access to victim’s cloud environments to build attack infrastructure and remove all other global administrators Does Lapsus$ stay dormant? Although it is difficult to identify individual members of the hacking group, law enforcement agencies have been able to trace Lapsus$’s operations to a few teenagers in Brazil and the UK. From the subsequent arrests and “apparent silence from the group,” Tills concludes that the hackers are talented but inexperienced. Lapsus$ has been quiet for a few months (although Cisco claims the group was among those responsible for a breach of its IT network in May). Tills did not speculate whether this is because some members were unmasked and arrested, or whether the teenagers simply lost interest. Instead, she concluded her report with an appeal: “Ransomware extortion attacks will never end unless they become too complicated or too costly. Organizations should consider what defenses they have against the tactics used, how they can be hardened, and whether their crisis response plans effectively take these incidents into account. Therefore, the danger emanating from hacker groups like Lapsus$ should not be downplayed. Especially since the group successfully attacked large international tech groups with simple tactics, sometimes with serious consequences.” Related content news Change Healthcare went without cyber insurance before debilitating ransomware attack In doing so, Change exposed itself not just to greater financial risk, but reputational damage too. By John Leyden May 07, 2024 5 mins Data Breach Ransomware news Citrix quietly fixes a new critical vulnerability similar to Citrix Bleed Much similar to Citrix-Bleed, the information disclosure bug was identified within NetScaler devices configured as gateway or virtual servers. By Shweta Sharma May 07, 2024 3 mins Vulnerabilities feature What is IAM? Identity and access management explained IAM is a set of processes, policies, and tools for controlling user access to critical information within an organization. By David Strom May 07, 2024 12 mins Identity Management Solutions IT Leadership Security news Most interesting products to see at RSAC 2024 Tools, platforms, and services that the CSO team recommends 2024 RSA Conference attendees check out. By CSO Staff May 07, 2024 12 mins RSA Conference Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe