The new hot name in ransomware attacks is Lapsus$. If you haven’t heard of them before, you’ve probably heard of some of the companies they attacked, including Nvidia, Samsung, Okta, and Microsoft – just to name a few. For the uninformed, Lapsus$ is a hacking group that focuses on data theft and extortion. The group mainly targets corporations, and has racked up quite a disconcerting array of noteworthy global casualties.
Often, LAPSUS$ abused the human weaknesses inside companies, such as their IT or customer support. In other cases, they purchased already hacked login tokens from dark-web marketplaces. Typically, some cybersecurity professionals may see these as low-level threats. The reality is that sophistication is not the only metric that makes a hacker more menacing; it’s also their audacity.
From employing social engineering tactics and SIM card swapping, to crafty phishing attacks and overt luring of internal employees, the Lapsus$ operators capitalise on offered resources to gain footholds into corporate network via popular means of VPN and Virtual Desktop Infrastructure (VDI).
This vividly highlights the fact that if humans work for you, you are vulnerable to social engineering. No one should be treated as incorruptible. The immediate implication for cloud resources is that you should reduce the access permissions people have to the very minimum they actually require in order to perform their job. As the cloud usually stores very sensitive resources, providing anyone who might be breached (virtually everyone!) with excessive permissions can cause unwarranted exposure to the crown jewels of the organization.
How did these breaches occur?
Predominantly using large-scale social engineering and manipulation techniques, the Lapsus$ group have accumulated an imposing list of victims globally. Interestingly, the incidents share a common approach; they all involved use of valid credentials, ultimately abusing whatever permissions had been granted to that identity. These attacks are a glaring reminder that authentication (who are you?) and authorisation (what can you do?) are critical to security posture. The principles of least privilege and zero trust have never been more applicable.
What can be done?
Despite your best efforts for authentication and authorisation, a breach can still happen at the hands of motivated insiders.
It begs the question, "How do you determine if a trusted, authorised entity's actions are malicious?" Permission sets have a nasty habit of creeping and growing over time.
As part of a Zero Trust Network Access (ZTNA) approach, organisations are encouraged to segment their networks, posture assess their requesting devices, and contextually provision access to apps and resources (using DLP and Remote Browser Isolation capabilities).
In the ill-fated case of an insider threat, Anomaly-based detections and Behavioural analysis capabilities can help spot and mitigate abnormal and potentially dangerous behaviours by building a baseline of "normal activity" for that specific context, to ultimately highlight any anomalies or deviations for swift action to be taken.
But, of course, security is more than just a collection of technical controls. Security practitioners must review the permissions, processes and procedures used by their stakeholders and trusted entities – both internal and third party. The aforementioned attacks have prompted the security world to take heed of these fundamentals.
Use Skyhigh Security?
- Protect your private apps and resources from being exposed to the internet
- Block unmanaged devices, enforce Multi-Factor Authentication and many other contextual access policies to help stop the successful reuse of stolen cloud application credentials
- Evaluate user activities beyond initial logins to include user movements, behaviours, access to corporate services, locations, and many other potential anomalies
About Skyhigh Security
When your sensitive data spans the web, cloud applications, and infrastructure, it’s time to rethink your approach to security. Imagine an integrated Security Service Edge solution that controls how data is used, shared, and created, no matter the source. Skyhigh Security empowers organizations to share data in the cloud with anyone, anywhere, from any device without worry. Discover Skyhigh Security, the industry-leading, data-aware cloud security platform.