Công nghệ

Portrait of Lapsus$, the hacker group behind the Microsoft attack

The most ‘notorious’ hacker group in 2022 calls the name Lapsus$ when they continuously carry out cyber attacks against high-profile targets.

Lapsus$ is said to be the biggest risk to businesses in 2022. A series of big names such as Microsoft, Nvidia, Okta, LG… admitted to being victims of Lapsus$ within just 3 months. Although March is coming to an end, little is known about this group.

Unlike other successful hackers of recent times, Lapsus$ is unique because it does not use ransomware, but uses other methods to demand money from the target. After the attack on the Okta identity company, the group announced that they were temporarily “washing their hands and putting their swords aside” because some members were going… on vacation until the end of the month.

Portrait of Lapsus$, the hacker group behind the Microsoft attack

Who is behind Lapsus$?

According to security expert Marcus Hutchins, Lapsus$ is a group of hackers that are “both perfect and not”. On the one hand, they claim responsibility for many attacks on high-profile targets that even other experienced cybercriminals don’t touch. On the one hand, they appear to be reckless in their actions. Instead of hiding in the shadows, they advertise their activities on the Telegram channel and even provide a channel to vote on which data leaks next.

Hutchins said that “they seem to be children but take responsibility for attacking top companies”. Security researcher Bill Demirkapi agrees. Lapsus$ bragged about having access to Microsoft’s internal servers while still extracting the company’s source code.

Security firm Check Point said the hacker was from Portugal and Brazil. The first major breach occurred in December 2021, targeting the Brazilian Ministry of Health and other government entities. Another report from Bloomberg suggested the entire operation was led by a 16-year-old boy in the UK, with other members living in the UK and Brazil.

British law enforcement arrested 7 people on March 24 in connection with the Lapsus$ group. Those arrested, aged between 16 and 21, were released but banned from leaving their residences.

How it works

Microsoft’s March 2022 study details its investigation into this hacker group, revealing how the group operates and how they infiltrate major organizations around the world. While not naming the person behind it, Microsoft says Lapsus$ is based on a pure vandalism and extortion model. The attack methods they use are diverse and complex. Their awareness does not seem to match their proficiency and sophistication in attack.

Lapsus$ uses social engineering to help hackers gain information about employees and companies. The group’s goal is to gain enterprise access through stolen logins, enabling data theft and destructive attacks.

To gain access, Lapsus$ employs a variety of methods, including implementing the Redline password stealer, searching public code repositories for exposed credentials; buy credentials through brokers; Or simply pay company employees.

The team uses remote desktop protocol (RDP) and virtual desktop infrastructure (VDI) like Citrix to access an enterprise’s environment. They bypass multi-factor authentication (MFA) with techniques such as spamming primary account holders with MFA prompts after stealing their passwords. In a Telegram chat, the hacker said spamming the MFA reminder while the employee was asleep was the easiest way to get their approval because they all wanted to turn off notifications.

According to Microsoft, Lapsus$ also makes smart use of virtual private networks (VPNs), showing how well they understand how cloud monitoring services detect suspicious behavior. The team also creates virtual machines on the victim’s cloud infrastructure to conduct further attacks before locking the business out of the cloud. With Lapsus$ in full control, they make sure all incoming and outgoing email is forwarded to their own infrastructure, where they mine as much data as possible before wiping out systems and resources. In some cases, Lapsus$ then asks the victim to pay not to release the information.


Two security experts Soufiane Tahiri and Anis Haboubi analyzed one of the wallets allegedly linked to Lapsus$, finding a balance of 3,790,62159317 Bitcoins, equivalent to £123.9 million. This number has not been confirmed by Lapsus$ or any other organization.

Du Lam (According to IT Pro)

You are reading the article Portrait of Lapsus$, the hacker group behind the Microsoft attack
at Blogtuan.info – Source: vietnamnet.vn – Read the original article here

Back to top button