The Who, What, and Why of these High-profile Attacks
While the Lapsus$ ransomware gang is relatively new, it is quickly making a name for itself by bringing down big targets like Samsung and Nvidia in the US as well as Impresa in Portugal, and Brazil’s Ministry of Health and Brazilian telecommunications operator Claro. The main attack vector is phishing which the group uses to gain a foothold before moving on to breach the network from there.
Lapsus$ is unlike other cybercrime gangs and so far has been mostly interested in leaking data, where the goal is to open-source proprietary software for the good of the community – with a lean toward gamers. Their attacks are still extortion attempts at their essence and put users of these victims at risk due to potential collateral damage.
How Phishing Works
Expert analysis, so far, believes that the Lapsus$ Group typically starts their ransomware attacks using phishing emails. According to a global survey of Managed Service Providers (MSPs), phishing is behind over half of all ransomware attacks. Phishing is an easy way into corporate networks, with a single download or a click to a website with the entry of login credentials, hackers can begin to infiltrate a network, escalating privileges to the point where they control administration-level accounts. This account access is exploited by Lapsus$ in the form of blatant displays of their control by hacking Twitter and other social media accounts. It is highly likely that this level of showmanship will be lauded by the hackers’ contemporaries and may become part of an ongoing attack profile.
Spray and Pay: Researchers have identified a tactic known as ‘spray and pay’ used by the group. This technique is based on the mass mailout of spam emails. The phishers then choose which network to target, based on the results of the phishing campaign. The researchers found that the choice of target was based on “sector, geolocation or perceived security posture”.
How You Can Prevent Being the Next Phishing Victim
Broadly, here are process, people, and technology tips for both consumers and IT / Security pros to help you combat ransomware attacks and Phishing.
Ransomware is dangerous for any company, not just larger corporates. Hacking gangs make ransomware available as-a-Service (RaaS) using subscription models for payment. All companies, across all sectors, and of all sizes, are at risk of the damage done by a ransomware attack.
Malware remains the most common cyberattack used to enter organizations, and Phishing is the most common tactic to infiltrate according to the Cisco Annual Cybersecurity Report.
To better protect your organization from the harms of ransomware make sure that you:
- Deploy an anti-spam, anti-phishing email protection platform that can scan inbound emails and detect even advanced threats.
- Use web content filtering to prevent employees from navigating to harmful websites.
- Enable multi-factor authentication (2FA/MFA) to control access to local and cloud apps.
- Use security awareness training with all staff members to improve security hygiene and help detect phishing emails and social engineering attempts.
For end users, Phishing emails and text messages may look like they’re from a company you know or trust. They may look like they’re from a bank, a credit card company, a social networking site, an online payment website or app, or an online store.
Phishing emails and text messages often tell a story to trick you into clicking on a link or opening an attachment.
They may include some or all of the following:
- say they’ve noticed some suspicious activity or log-in attempts
- claim there’s a problem with your account or your payment information
- say you must confirm some personal information
- include a fake invoice
- want you to click on a link to make a payment
- say you’re eligible to register for a government refund
- offer a coupon for free stuff
Four steps to protect yourself as individuals from Phishing include:
- Protect your computer by using security software. Set the software to update automatically so it can deal with any new security threats.
- Protect your mobile phone by setting software to update automatically. These updates could give you critical protection against security threats.
- Protect your accounts by using multi-factor authentication. Some accounts offer extra security by requiring two or more credentials to log in to your account. This is called multi-factor authentication. The additional credentials you need to log in to your account fall into two categories:
- Something you have — like a passcode you get via an authentication app or a security key.
- Something you are — like a scan of your fingerprint, your retina, or your face.
Multi-factor authentication makes it harder for scammers to log in to your accounts if they do get your username and password. Modern security platforms also understand your device, department, location, and usage patterns to further protect you.
- Protect your data by backing it up. Back up your data regularly and make sure those backups aren’t connected to your home network. You can copy your computer files to an external hard drive or cloud storage. Back up the data on your phone regularly, too.
More from the FTC about consumer protection from Phishing here.
Tactically for IT and Security pros, the Lapsus$ gang seems to use CLOP ransomware, named after the file extension. CLOP is designed to evade detection, so with newer versions of CLOP ransomware, attempt to disable and remove locally installed anti-virus software, including Windows Defender and Microsoft Security Essentials.
- Use multi-factor authentication (2FA/MFA) to control access to local and cloud apps.
- Train all staff to recognize the typical signs of a phishing email.
- CLOP can circumvent local anti-virus tools. Augment these tools using a Web Content Filtering platform. This stops an employee from opening phishing websites used to infect the network with CLOP ransomware.
- Stop CLOP at source by using an email protection service to stop spam emails before they hit employee devices. Certain best-of-breed email protection systems will proactively protect Office365 email, performing an anti-virus check on any incoming emails.
- Use a monitoring system designed for malicious threats like CLOP ransomware. These systems leverage smart technologies such as machine learning to detect threats in real-time.
Unlike traditional anti-virus software, smart monitoring platforms both identify and alert on issues , they also perform real-time updates to remediate against active phishing and other cyber threats.
Our mission, like yours, is to provide your employees, students, faculty and more with a safe, user-friendly and secure environment by:
- Giving Full visibility – with RF and Network sensors seeing 100% of your devices and infrastructure encompassing all stages of attack – infiltration, persistence, and exfiltration
- Reducing Mean Time to Resolution (MTTR )– with AI/ML-powered, automated remediation that drives >70% reduction in threat hunting times
- Boosting User Experience – by reducing support ticket volumes, lowering alert noise for a >60% gain in operational efficiency (~1.4 FTE Service Savings per site/ per shift)
Each of these benefits on their own can offer 5-6 figure USD savings per year, shortening the payback period on your investment.
The perfect cybersecurity storm has arrived. Consider intelligent device and infrastructure security today.
To learn more in a zero touch, no obligation Demo or POC, please contact us.