LAPSUS$ campaigns

According to Microsoft Threat Research, as part of LAPSUS$’s large-scale social engineering and extortion campaigns, they also gained access to several of their targets’ cloud environments.

LAPSUS$ initially targeted organizations in the UK and South America, and then expanded their activity to other countries.

Their attack flow can be described as split into the following three stages:

1. Gaining initial access to on-premise environments through compromised users - the threat actors were able to gain access to the targeted systems after performing social engineering techniques that led them to impersonating user accounts and bypassing insecure authentication mechanisms in order to gain access to their targets’ cloud environments.
2. Abusing access to exploit unpatched applications and gather exposed secrets - after gaining initial access, the threat actors were able to abuse their obtained privileges in order to perform additional malicious actions such as spinning up new resources to stage their activity, exploiting known vulnerabilities for newly accessible resources, escalating their privileges and moving laterally. If they were able to grant themselves administrator status they would also lock out existing admin users.
3. Gaining access to internal cloud infrastructure resources - the threat actors were also able to move further laterally into their targeted organizations’ cloud environments until eventually gaining access to sensitive data they deemed could be used for extortion. Once they had decided they had reached their goals, they deleted the compromised systems and resources.