🫗

LAPSUS$

Aliases

Strawberry Tempest (MS), DEV-0537 (MS)

Tags

Extortionist

Attribution

💰Cybercrime

Incidents

LAPSUS$ campaigns

References

https://www.dhs.gov/news/2023/08/10/cyber-safety-review-board-releases-report-activities-global-extortion-focusedhttps://www.wiz.io/blog/hardening-your-cloud-environment-against-lapsus-like-threat-actor

Last edited

Mar 19, 2024 9:56 AM

Status

Featured

Cloud-fluent

LAPSUS$ was a notorious extortion-focused threat actor that managed to gain access to multiple large organizations and exfiltrate sensitive data and source code throughout 2022. Some members of LAPSUS$ were exposed, and some were also arrested. Known members were located in Brazil and the UK. The group utilized social engineering and SIM swapping to gain initial access to their targets. When targeting cloud environments, LAPSUS$ often made use of compromised credentials, spun up new workloads for staging purposes, and created new admin accounts while locking out existing ones. LAPSUS$ also exploited vulnerabilities affecting internal servers for privilege escalation, and notably gained access to communication apps in order to monitor their targets' incident response activities and thereby gain leverage in their extortion efforts.