What You Need to Know About the LAPSUS$ Supply Chain Attacks

Join the ThreatLabz research team and our product experts on Tuesday, 3/29/22 at 9:30am PT for an analysis of the LAPSUS$ Okta attack and strategies for assessing and reducing the impact to your organization.

The extortion threat group LAPSUS$ arrived on threat researchers' radar back in December 2021, with a burst of erratic attacks that represent a notable departure from the business-like operations of ransomware gangs. 

This brazen group uses smash-and-grab methods to extort organizations, with techniques that include island-hopping supply chain attacks, phone-based vishing scams, targeting personal emails accounts, buying compromised credentials, and even paying employees or business partners to gain access to permissioned accounts. At first, LAPSUS$ threat activity was focused on companies in South America but has since expanded to high-profile attacks on some of the world’s largest tech companies including LG, Microsoft, NVIDIA, Okta, Samsung, Ubisoft, and Vodafone.

The latest data leaks from LAPSUS$, including partial source code from Microsoft and data of up to 366 Okta customers, have launched this group into the media spotlight and captured the attention of the cybersecurity industry. The Okta breach could be categorized as a supply chain attack that used a compromised user account from a third-party service contractor to access sensitive systems and clients. Also known as “island hopping,” this technique requires only a single account as an entry point to exploit an integrated ecosystem of connected organizations. 

Following these events, it is important that security leaders take to task anticipating how a similar attack would impact their own organization and use this mindset to develop an effective defense strategy. This mentality of preparing for the worst instinctively lends itself to deploying a zero trust strategy. The rest of this article is focused on methods to assess your defenses and break down how zero trust can help you improve your security posture and reduce the impacts of targeted supply chain attacks, insider threats, and data breaches.

Mitigating a supply chain attack or compromised user with zero trust

Stopping an upstream supply chain attack or compromised user can be one of the toughest tasks in security. While there are no silver bullets, a zero trust architecture can dramatically reduce the blast radius of a successful attack by ensuring you can:

• Minimize the attack surface: Make apps (and vulnerable VPNs) invisible to the internet, and impossible to compromise, ensuring an attacker can’t gain initial access.
• Prevent initial compromise: Inspect all traffic in-line to automatically stop zero-day exploits, malware, or other sophisticated threats.
• Enforce least privileged access: Restrict permissions for users, traffic, systems, and applications using identity and context, ensuring only authorized users can access named resources.
• Block unauthorized access: use strong multi-factor authentication (MFA) to validate user access requests. 
• Eliminate lateral movement: Connect users directly to apps, not the network, to limit the blast radius of a potential incident.
• Shutdown compromised users and insider threats: Enable inline inspection and monitoring to detect compromised users with access to your network, private applications, and data.
• Stop data loss: Inspect data in motion and data at rest to stop active data theft during an attack.
• Deploy active defenses: Leverage deception technology with decoys and perform daily threat hunting to derail and capture attacks in real-time.
• Cultivate a security culture: Many breaches begin with compromising a single user account via a phishing attack. Prioritizing regular cybersecurity awareness training can help reduce this risk and protect your employees from compromise. 
• Test your security posture: Get regular third-party risk assessments and conduct purple team activities to identify and harden the gaps in your security program. Request that your service providers and technology partners do the same and share the results of these reports with your security team. 

Zscaler helps defend your organization from supply chain attacks

Supply chain attacks continue to be an effective tool for attackers. Because you can’t manage the security posture of all your partner organizations, it’s important to have multiple layers of protection and visibility across your environment. As part of the Zero Trust Exchange, our integrated platform helps you:

1. Identify and stop malicious activity from compromised servers by routing all server traffic through Zscaler Internet Access.
2. Restrict traffic from critical infrastructure to an “allow” list of known-good destinations.
3. Ensure that you are inspecting all SSL/TLS traffic, even if it comes from trusted sources.
4. Turn on Advanced Threat Protection to block all known command-and-control domains.
5. Extend command-and-control protection to all ports and protocols with the Advanced Cloud Firewall, including emerging C&C destinations.
6. Use Advanced Cloud Sandbox to prevent unknown malware delivered in second stage payloads.
7. Safeguard crown jewel applications by limiting lateral movement using Zscaler Private Access to establish user-to-app segmentation policies based on the principles of least privileged access, including for employees and third-party contractors.
8. Prevent private exploitation of private applications from compromised users with full in-line inspection of private app traffic, with Zscaler Private Access.
9. Limit the impact from a potential compromise by restricting lateral movement with identity-based microsegmentation.
10. Detect and contain attackers attempting to move laterally or escalate privileges by luring them with decoy servers, applications, directories, and user accounts with Zscaler Deception.

Additional Resources

Read the ThreatLabz security advisory: Lapsus$ Attack on Okta: How to Evaluate the Impact to your Organization for a technical analysis of the threat, practical SOC playbook, and recommended detection rules from Zscaler’s threat research team. 

Learn more: join a live ThreatLabz briefing on Tuesday, March 22 and 9:30am PT for updated information on the LAPSUS$ attack on Okta, a walkthrough of our SOC playbook, and zero trust strategies for preventing and mitigating damage from similar compromises in the future. Register now.