Advanced Persistent Teenagers: Understanding the Lapsus$ Playbook

without further Ado Benjamin all right hello everybody so I got 60 slides and I have practiced hard to make this a tight 30 minutes so that we can have room for question and answer at the end so for those of you doing the math at home that's 30 seconds a slide so if you are one of those people who studiously takes notes about everything that's on a slide I'm going to apologize in advance cuz I'm going to blow right past you but worry not it does not you know Escape ephemera into the fer forever uh at the end of this I'm going to give y'all's copies of my slides speaker notes the whole deal so stick

with me all right we're going to make it through um yeah I'm Benjamin by the way I work for a company called Sail drone we make uncrewed Marine vessels with a bunch of sensors on them um that are primarily powered by wind and solar which means we get to do cool stuff like Chuck them into the middle of hurricanes um then help Noah get more accurate data to know where it's going to do landfall and and things like that um this actually has nothing to do with the uh Talk itself I just wanted to see hurricane FID on a really big screen so thanks for indulging me I'm not here to talk about boats let's talk about

instead planes all right so the early history of Aviation was incredibly bloody instead of the Boeing door falling off the 747 the entire plane might disintegrate in midair and moving at the speed of Congress a couple of decades later they passed the air Commerce Act and says hey Commerce Department maybe you can figure out why planes keep crashing and that was the start of the national Transportation safety board if you've ever heard the term that regulations are Written in Blood the NTSB is the one that is studying the end trails to make figure out exactly what went wrong now we've had a couple decades worth of cyber security incidents so somebody had a great idea and said hey maybe we should

figure out what the root cause of all of those things are and the cyber cyber safety review board was born this is a mix of half people inside government half real world pra practitioners who are doing this every single day to highlight a couple we have Heather Atkins who's running security engineering at Google we have Katie mosasaurus who was the F you know really the early adopter when vulnerability disclosure did bug Bounty at Microsoft bug Bounty at the Department of Defense Wendy mmore who is at unit 42 in Palo out networks um like these women know their stuff um and you know there's a bunch of other dudes too but 30 seconds to the slide I can't uh can't highlight

it everyone and they wrote this report which I'm going to be basing a large Chun of my talk off today I do recommend reading it in a full detail if you're curious I can't go nearly into the amount of depth that they have been ding in the report in this short talk but there's a lot more good stuff in there but let's just start with the background so a couple key facts here lapsis was about 8 to 10 known members working outside of the Brazil and UK we're talking no nation state affiliation here there's no million dooll budgets there's no stockpile of zero days here and just like you see in ransomware where there's you know whatever

ransomware group gets a really high notoriety and FBI warning goes out they start talking about in conference and then the name just kind of disintegrates as all the people in that group kind of fade away and then reforms somewhere else so the lapsis moniker isn't active today and it wasn't active at the time that they read the report but the Playbook keeps continuing on now this is not a complete timeline in fact just yesterday I found yet another place that they had broken into that I added to the list here and yeah lapsis got their nice little FBI seal warning here um we are going to take a look at a couple of these as actual case

studies throughout here and going kind of touch a little bit more into the details so why did they do it I mean look money is great y'all so the standard set of ways to try to use cyber crime to get money right extorting people for selling the stolen data um ransomware use cryptocurrency miners the whole 10 yards but they also seem to really just enjoy breaking into companies with multi-million dollar security budgets and then you know laughing at them from the public internet but enough about lapsis itself the name doesn't matter it's the Playbook that does and so this is where we're going to be spending most of our time today so when they're talking about initial access here social

engineering was key for how laps has got things done more often than not it would start by going on to LinkedIn finding an employee that worked for a company getting enough personal details about them and then turning that straight into a phone fish calling up the help desk impersonating that employee hoping to get some sort of credentials out of it they also extensively use meter in the- Middle sometimes called manin the- middle attack proxies evil genics is the free and open source one that I think is most commonly known I mean headline basically unless your multiactor is fishing resistant think security keys and pass Keys something like evil genic is going to blow go right through it the

time B onetime password and SMS push notifications barely even a speed bump for grading credentials for something like that also just spamming push notifications until somebody said yes um and like the um like the phone fishing of pretending to be an employee to help desk they also did the reverse pretend to be help desk to employees or send targeted SMS fishes basically anywhere that lapsis was able to move this from a computer hacking to a people hacking they took advantage of it and that helped them get their initial footholds in other ways they would defeat MFA is you know straight up paying somebody $2,000 a week to do a couple swim swaps um hijack that delivery of SMS

passcodes or just straight up pay employees at their target companies to give them a valid set of creds and look if none of the rest of that worked just buy them right starbot will do just fine which brings us to my first first case study we're going to be talking about Uber uh but before I do that let's just kind of Orient ourselves a little bit here uh our job here today is to learn it's not to do armchair quarterbacking or critique the very smart security engineers at all of these companies all right these people had really really bad days and we get to learn the Playbook because they were willing to share details about some of their worst days

all right so if you're going to criticize anything I would actually criticize the companies that I'm not doing case studies of cuz most of those didn't release any details for us to be able to learn as a community on how this threat actor was happening and you know chewing through all of them but anyway back to Uber so this starts out with someone posting inside Uber's internal snack I announced that I am a hacker and Uber has suffered a data breach which all of them thought was really funny and lots of emoji reactions and Gifts until Uber security came in and start locking absolutely everything down now then they start releasing screenshots you know here's Uber they got over a petabyte

worth of Google admin storage um here's their esxi host in their corporate environment oh here's their AWS Council now note on the screenshot here it says administrator access but they do not actually have administrator access there's some other account going in here but the thing I actually want to draw your most attention to let's look at these file names down here now this is not my research so shout out to group IB if you look at the IDS in there it matches items in the marketplace uh for S and sced so you know for we have Uber Uber Uber Uber passwords for 10 bucks same over here so for $20 they basically bought two Uber passwords now that gets

you part of the way here Uber's not dumb they do have multiactor authentication so how do they get past that look just Spam until they say yes it's one of those things that really seems silly to me when I first started thinking about it but as I'm sitting here pausing on the slide for a little bit I'm pretty sure there's a couple of y'all in this room being like geez go to the next slide already just clear this out here um you can basically annoy people into hitting yes all right from there you go to privilege exclamation once they were able to sign into Uber's VPN they scanned that internal Network space in that Network space they found a open SMB

share on that SMB share they saw a Powershell script inside that Powershell script was the emergency Blake grass Brak glass credentials for Uber's security team to get into their password manager and once you have admin into the thing that is holding the Keys of the Kingdom game over y'all but lapsus used a whole lot of other ways too I mean all of this is the standard land and expand that we see from attackers they're going to get some initial foothold from that foothold they're going to see anything they can get access to and try to find something to get to the next level so do you have a password. XLS file they're going to find it

uh find AWS keys and slack the lapsis would follow the new user onboarding guide to be able to get access to source code all of these things try to get up into that next level and just in case you think I'm making it up this is straight from Uber they purchased the contractor's password and initially two-factor blocked it until they spammed them enough till they hit yes and that's what caused it now other ways that lapsis like to get in is you know the very standard Showdown Safari so pick your favorite CVSs 10 out of 10 remote code execution V scan through the internet to find things that aren't patched on those border devices and boom

you're in these two cves in particular were favorites of lapsis they also used supply chain attacks here lapsis really extensively exploited the trust relationships between organizations and in particular business process outsourcers or bpos which brings us to the next case study of OCTA or actually citel group the BP that they were Outsourcing for support desk help requests so what happened was there was a security incident at sael with sael were reported to OCTA and a couple of months later lapsis decided that they wanted to start sharing some screenshots and look those are some screenshots that looks like an internal OCTA admin panel oh that one says like you're resetting a password or something and Laps has

confirmed that they weren't actually targeting OCTA here this was like a ducking of supply chain attacks that they attempted where they were actually going you know after sael to then get at OCTA to then get at one of octus comp customers I don't know maybe this one who knows all right now if you've been in the security Community for a while you like me might have a it's complicated kind of relationship with OCTA here I'm frustrated that it took 3 months after the event and the bad public press for us to actually learn about this but I also want to give credit where credit is due OCTA ate their vegetables here they did the basic security hygiene they

provisioned the access to the B through actual least privilege and they were had enough logs captured to be actually able to determine what did and what didn't happen at the end with all those scary screenshots there was a single workstation they controlled for 25 minutes and unable to do any sort of configuration change password reset impersonation you name it I also want to talk about emergency disclosure request abuses now for those of you who aren't aware these edrs are ways for primarily law enforcement to reach out to a company to either get access to account or some information about one of their users that they wouldn't be able to get to anyway and this process is designed for things that

have risk of death or serious physical industry so these do have very legitimate use cases and you can see how this really puts companies in a bind because by definition they have a very short period of time and there are legitimate reasons why life and limb will be at risk if this information is not disclosed but they also have this problem of trying to say okay is this a real law enforcement uh organization this is not just is this the FBI not the FBI but any one of tens of thousands of law enforcement agencies all around the world the crsb uh had some interviews with researchers on this topic and note in the report that there's at least 112

domains that the researchers found including ones that actually belong to legitimate international law enforcement agencies that have been leveraged for this type of EDR abuse so let's talk about Cisco now if you will join me in a bit of Reckless speculation here uh Cisco Talis did a very excellent write up and I do want to give them props to that but there are some places where they kind of gloss over some details one which I think is entirely appropriate is they start with the initial compromise of a Cisco employes personal Google account and we don't know how that happens but I when I compare that to the language of the crsb when they're talking about

fraudulent edrs using that to take over personal accounts and access personal photos which I got to say is about the most neutral government report speak that I've ever heard for somebody just straight up lying people to break into their stuff and use the most intimate details about them to screw them over so was this an EDR or not I don't know the puzzle piece fits you can make your own disclusion but starting from the base of someone's personal Google account at Cisco was compromized turns out that Cisco employee had password sync enabled on their personal Chrome profile which included Cisco passwords all right so we got a password we still can't break through MFA lapsis impersonated the help

Des to the employee multiple times over several days and if you take a look at the Domain indicators of compromise that tals publishes a lot of these look to me like help desk impersonation hey I need a password reset oh this is the help zone for Cisco so on and so forth but ultimately the way they got in um I report speak ultimately succeeded in achieving MFA push acceptance yeah spammed them until they said yes all right so that gives the initial foothold into the VPN where do they go from there according to the report that tals puts out they um compromised a series of citric servers how I don't know but you know you can

throw a v you know a dart B at Citrix ven to you know pick your own favorite 10 out of t 10 out of 10 remote code execution uh and then obtain privilege access to B to domain controllers um from there lapsus dumped and xfill the NTI directory services to extract credentials I mean at this point the Cisco incident respon had been thoroughly engaged so when um if you remember the shot that I showed earlier about hey we're doing data extortion for money here again this is a an area where screenshots might look scary but they may not tell you what exactly you think what tals was able to find is that there was only two things

that lapsis was able to exfill from the environment one was the contents of the box.com account for the initial employee that was compromised and yeah that big dump of stuff from their domain controller so the Box data in its case was not actually anything sensitive whatsoever but that uh you know authentication data from active directory yeah lapsis used that then to try to get back in as part of this incident response process Cisco implemented a companywide password reset which just pause right there y'all if you're talking a password reset about 990,000 users or something like that's no small feat but what happened after that is lapses after being kicked out tried to make attempts going back in

again and they were specifically targeting users that they thought might have just made a single character password change so if my Cisco passwords was go Warrior 2 they'd say ah maybe they'd reset it to go Warriors 3 the attacks though were ultimately unsuccessful and Cisco was able to invict them from the environment let's H another case study let's talk about Rockstar Games for this one we don't actually know exactly how things happened Rockstar did not publish detailed events or timeline or engineering information but from public reporting we do know that it cost them about $5 million an instant report cost and there was 90 videos of unreleased GTA 6 that eventually made public and we

know they broke into Rockstar's internal slack because that's where they put their extortion message to say if you don't contact me in 24 hours I will start releasing source code did they have source code or did they just break into the slack and download every single video file that someone it attached to a slack thread don't exactly know but what we do know is the tools that they used cuzz turns out white dock Ben was already under arrest and in police custody at a cheap hotel so when the police researched the environment they found his tools it was an Amazon Fire TV stick a Bluetooth keyboard and a cheap mobile phone this Playbook does not cost

a lot of money to execute on it's cheap for our last case study let's take a look at MGM Resorts now if you were scanning that timeline before MGM Resorts is not on the lapsis timeline because it wasn't lapsis and if you remember this was back in September 2023 when basically every single computer involved in MGM Resorts was locked up with ransomware slot machines ATMs the little door key cards readers the website everything was knocked out of commission for about 10 days and how did they get in well VX underground says is they went on LinkedIn found an employee and called the help desk that sure sounds like the laps is Playbook but we don't

necessarily need to trust a random person on Twitter we can look into the exciting world of SEC 8K filing so if those of you who might be uh familiar the SEC recently made a change which says any material cyber security event must be disclosed to investors in an 8K now what is m a material cyber event versus Anon material one who knows we're still trying to figure this thing out the SEC is pretty notorious for not giving any guidance whatsoever about what materiality means in any context so we're seeing a lot of different companies trying different things between publishing basically a no details PR statement to a little bit of information trying to find that balance

between enough information so that the SEC won't come after them uh for not actually disclosing how serious something was versus also not trying to give an attacker blueprint of how to come in and attack them again but we do have sec filings from MGM in this case and look it's pretty bland they identified a cyber security issue that affect certain company systems like you know all of them however if you might remember back then there was actually two ransomware attacks here one happened to MGM and they chose not to pay the ransom the other one happened to Caesar's entertainment and they did chose to pay the ransom so if we look at Caesar's AK they say it was a social

engineering Tech on the outsourced I support ventor used by the company now does Caesars and MGM happen to use the same IP outsourcer maybe the same social engineering attack draw your own conclusions but look it is this feels like the Playbook to me all right enough talking about Doom and Gloom what the heck do we actually do about this let's play some defense let's talk about [Music] authentication unfortunately we now live in a time where the only way that you're going to be able to defend against someone targeting specifically your organization is with fishing resistant multifactor right that's security keys and that's pass keys that push notification that timebase onetime password they are definitely a step up

but it's going to be defeated by a teenager who's intent enough to keep coming after you using one of those midd or inth the-middle attack proxies also these web aend fishing resistant factors there's no MFA M fatigue there's no way to bombard the user over and over again till you spam them into submission also the crsb recommends that if you can if you can take key business transactions that would normally be able to happen over a phone call and push them down to a layer where it requires an authentication event all of a sudden you now have a techn technical solution to a social engineering attack let's talk about these business process outsourcers all right straight up bpos

are not incentivized for security by default their incentive their financial incentive is to give the person who ask them in a support ticket whatever they asked for as quickly as possible because that's what makes the customer happy the crsb recommends that if you are going to use business process Outsourcing you need to make them have Financial skin in the game if you can include in the contract concrete security outcomes or processes that you want to see and if they don't meet they lose money all of a sudden they start to have Financial skin in a game and they start to get aligned the csrb also outlines that if you would not let your help desk person reset an

admin password off their personal computer and they have to do it on a corporate own device with all of agents on it to give you v vulnerab um visibility into what's going on you to you need to use the same thing at your Bo send them company-owned laptops with all your agents preconfigured have them go through the same cyber security processes as everyone else does in your company or as a lot of these companies did in the aftermath of the lapsis attack just bring this stuff back in house let's talk about telepan you're your Telecom provider is not an identity provider their number one job is to make sure that every time that I need to pick up a phone and call

for an ambulance that my call connects to 911 every single time it's availability above everything else if you make a telecom company your identity provider your attack surface multiplies Sim swaps Insider threats an unattended kiosk at the Verizon store in Wilmer Minnesota all become part of your back surface Telecom has a hard job right make sure that every call to 911 connects every single time they're not thinking about being your identity provider don't make them do it let's talk about basic cyber security hygiene over and over again the crsb noted that the things that was able to stop lapsis was not any one of those shiny Blinky boxes that they might be selling down at RSA next week it was

doing the fundamental s and doing them well is everything covered by MFA is everything getting patched do you have a process at your organization that when a security thing is found that it actually gets triaged and resources dedicated to it look y'all I'm still eating the vegetables at my place right these are hard but these are the things that are going to give you the best security outcomes than any sort of fancy expensive Ai drib and whatnot [Music] let's talk about lying all right nobody tell my six-year-old but lying is good actually so as we saw from that privilege escalation lapsis like so many other attackers once they gain that initial foothold they're going to search

everything else that they have access to so if they're looking for passwords XLS give them a password XLS to find so shout out to Canary tokens. org you can generate free Canary tokens you can have them Microsoft Excel document that anytime somebody opens it you get an alert now when you're dropping these you should be precise and targeted like if you drop a AWS access key into your slack but you don't have the logs to know who viewed it when you're going to get a really scary alert that is someone somewhere is doing something up to no good but no leads to follow on so be intentional about where you place it make sure it's surrounded by logging

that gives you the visibility to find out who that person was or compromised credential set let's talk about the kids y'all the crsb in their final uh recommendations noted that these were a bunch of teenagers and that there really wasn't any intervention that might have taken them off uh the path of cyber crime I just I just felt when reading this report this sense of lost opportunity here I mean these guys were brilliant and if they had been redirected from crime and to help and play defense that would be amazing um but I I don't think it's just about the kids right we we get to build our community security is hard and we need every available person that we can

get um if you haven't heard it from somebody else you hear it from me if you're a human being and you're interested in tackling these tough security problems you have a place here and you belong in our community so I would encourage you all to be really intentional about the community that we create invite the noob all right look at the bsides SF code of conduct they say that there's absolutely no tolerance for physical verbal or sexual harassment no tolerance for intimidation or marginalizing any human being don't be an ass who kick your ass out I think is a nice rule not just for us here where we're making this space of learning today but for the rest of our

community and thank your bid USF volunteers and staff look y'alls there's so much effort and energy that goes into putting something like this something that's driven by real security practitioners and not by salespeople consider volunteering yourself next year it takes a lot of us to put this all together and with this as promised 60 slides I hope in less than 30 minutes so if you want to get a hold of me I'm Benjamin the bsid SF slack you can hit up my email as I said you can get slides you just click that link boom you got it I releasing these slides under the Creative Commons non-commercial license so if you want to take this back to your

own company and do a brown bag with some Engineers that are interested in learning more awesome do it you want to give a presentation to leadership on how they need to fund security keys go for it if you want to make a plural site course where people pay you to learn more about lapsis go pound sand but with that let's open it up to questions all right thank you very much Benjamin and I'll Benjamin on the bside slack EAS easy to find um I have three questions so far um folks if you have more questions please put them in the um slido uh first question from lyanna How can there be MFA fatigue isn't there API endpoint rate limiting

or did that only get implemented after these incidents apparently not I mean and look even if you're talking about API rate limiting the persistent part of advanced persistent teenager means that whatever your rate limit is they're going to keep spamming your end users look there are some risk mitigations that you can do here you do you have logs and if somebody gets you know 50 MFA pushes in an hour maybe send an alert go in triage But ultimately moving to password list and something where you can't spam the user over and over again I think is going to be the right long-term move for everyone so look if you can't Implement that yet absolutely do some risk

mitigation strategies but um as to the details of whether whether or not Uber had rate limited their push mfas no idea y'all sorry okay next question is a quick correction that sael didn't notify OCTA OCTA detected the attack and reported it to sael according to this comment next question I don't know if that's true or not next question how do you overcome the complexity to the user of activating pass keys and other fishing resistant MFA this is a tough one y'all look I love pass keys because they are fishing resistant and it opens up this world of opportunity for people without security keys but man that UI experience I don't even know what the QR code is that pops

up all the time when I'm hitting the pass Keys like we definitely need to do work here as an industry to make this from people who are technically proficient to the everyday user that said if you are defending an organization you have more resources at your disposal you can write more help desk uh guides you can have people literally showing up next to someone to walk them through this enrollment um I think we're going to see this roll out for Enterprises first before individuals and um yeah I would really love to see Pas Keys be ubiquitous simple and easy for the most everyday user um I just don't think we're quite there yet but if

you're defending an organization you can push your organization there we have a question in the room

oh yeah so let me repeat the question for the video what about phyto factors like UB keys will those work yeah yeah so look there's about a thousand different names for this so phto fast identity online made the initial standard um so PH2 started with u2f universal second factor that is fishing resistant there's been more complexity that's gone onto it that is evolved into the webo end standard which means it's not doesn't have to be a second Factor it can be the whole thing that does pass Keys again that is fishing resistant if you got a security key and you're not using it to generate like onetime password codes you're doing something that's fishing resistant so even those

older u2f phyto standards totally good we got a little bit of word salad here on what exactly is ficient resistant MFA but yeah phto do it it's awesome any more questions in the room all right Benjamin thank you so much all right we have a special thank you gift for Benjamin from socket security