Transcription
White PaperDefending Against theLAPSUS Playbook withDeception and the ZscalerZero Trust Exchange 2022 Zscaler, Inc. All rights reserved.
Organizations have embraced multi-factor authentication(MFA) to defend against advanced attacks that use stealthytactics to bypass defenses. Yet, the LAPSUS threat group(a.k.a DEV-0537) has subverted this preventive control usingstolen credentials from the dark web and outright buyingcredentials from employees to compromise identity and usethat access to exfiltrate and destroy data while extortingvictim organizations.White PaperIntroductionIn this white paper, we look at how sophisticated adversariesuse the LAPSUS playbook to bypass preventive controls andexecute an attack. We then provide guidance on how youcan use the Zscaler Zero Trust Exchange—and deceptioncapabilities in particular—to detect such attacks and stopthem before they can cause damage. 2022 Zscaler, Inc. All rights reserved.2
Deconstructing the LAPSUS playbookLAPSUS , or DEV-0537, is relentless and methodical in its approach. The threat group invests a lot of timein executing social engineering campaigns to build a detailed picture of its victims. This includes gaininginformation about employees, organizational hierarchies, and once inside, the organization’s crisisresponse workflows.Security researchers at Microsoft have observed DEV-0537 and documented some of the TTPs of thegroup which help us build a picture of its playbook. Here’s what that looks like:Internal reconnaissanceOnce inside, they use tools like AD explorer toenumerate Active Directory with the objectiveof finding high-value targets to escalateprivileges to.Privilege EscalationAt this stage of the kill chain, they’ve beenobserved to exploit vulnerabilities in collaborationplatforms like Confluence, JIRA, and GitLab to getcredentials of a privileged account.Lateral movementWhen DEV-0537 owns the desired access level,Initial AccessThe LAPSUS group uses a variety of tacticsto get valid credentials for initial access. Thesethey move laterally to business applications,information systems, and cloud tenants – theirkey targets.include buying stolen credentials from the darkExfiltration and destructionweb, leveraging Redline malware – a passwordOnce in possession of sensitive information andstealer – to procure credentials, and in somedata, they either delete it or extort the victimcases, purchasing credentials and MFA accessorganization. As one Microsoft research notefrom employees of its victims.observes, “In some cases, DEV-0537 has extortedvictims to prevent the release of stolen data, andin others, no extortion attempt was made andDEV-0537 publicly leaked the data they stole.” 2022 Zscaler, Inc. All rights reserved.White Paper3
Kill Chain PhaseAttack TechniquesZscaler DefenseInitial AccessUses stolen/purchased credentials toaccess internet-facing applications likeVPNs, RDP, and VDI. Reduce your attack surface byhiding applications behind the ZeroTrust Exchange so that they areinvisible to the internet. Create decoys of internet-facingapplications like VPNs and Citrixservers that attackers are very likelyto target. Extend command-and-controlprotection to all ports andprotocols, including emergingC&C destinations.ReconnaissanceUses AD Explorer to enumerate users,computers, and groups.Create decoy users, user groups, andcomputers in your Active Directory.Privilege EscalationExploit vulnerabilities in collaborationplatforms like Confluence, JIRA, andGitLab to get credentials of aprivileged account.Create decoys of internal apps likeConfluence, JIRA, and Gitlab thatintercept the use of credentials toaccess this system.Privilege EscalationUses Mimikatz to extract credentialsfrom memory in Windows. These credentials are then used to access higherprivileged accounts.Plant decoy credentials inWindows memory.Lateral MovementMoves laterally to core business applications and cloud environments to gainaccess to the victim organization’s data. Prevent exploitation of privateapplications from compromisedusers with microsegmentationand full inline inspection ofprivate app traffic. Plant decoys of internal appslike code repositories, customerdatabases, business applications,and objects like S3 buckets andAWS keys in your cloud tenants.ExfiltrationAdversary uses their access to download sensitive data and extort victim. Plant decoy files and othersensitive-seeming informationon endpoints. Use data loss prevention to inspectoutgoing traffic and evaluatedestinations to stop adversariesfrom stealing sensitive data. 2022 Zscaler, Inc. All rights reserved.White Paper4
Closing Thoughtszero trust defense—make the Zscaler Zero TrustThe LAPSUS playbook is unique in the sensethat it starts from a compromised user. Therefore,the most effective defense against this playbookcomprises threat detection approaches thatassume breach.Exchange a pragmatic approach to disrupting theplaybooks of LAPSUS style threat operators thatrequire rapid response.Recommendations Initial Access Defense: Reduce your attackZero trust and deception strategies both operatesurface by hiding applications behind the Zeroon the ‘assume breach’ principle. IntegratedTrust Exchange. Plant decoys of vulnerabletogether, they are your most effective defense ininternet-facing applications like VPN and Citrixinstances where an adversary has gained initialservers. LAPSUS is known for using these toaccess and is now looking to establish a footholdgain initial access.and move laterally. Stopping Reconnaissance: LAPSUS uses ADThe Zscaler Zero Trust Exchange is the industry’sExplorer for user enumeration. Protecting Activeonly security service edge (SSE) platformDirectory is extremely difficult. Decoy users,that features inline application inspection anduser groups, and computers embedded intointegrated deception technologies. Theseyour Active Directory are a low-effort approachfeatures add defense-in-depth to our best-to detecting and stopping enumeration.in-class threat prevention and data protection Detecting Privilege Escalation: Deploy decoyscapabilities, maximizing defenses against evenof internal apps and lures in system programsthe most challenging security threats, such as alike password managers to detect privilegecompromised user or supply chain attack.escalation.By their very design, deception-based defenses Stopping Lateral Movement: Create decoysdo not trust any user or activity. No one knowsof business applications like code repositories,that decoys exist in the environment, thereforecustomer databases, and servers to interceptany interaction with a decoy is a high-confidencethe attack and divert it away from the target.indicator of a breach. It doesn’t matter how an Averting exfiltration: Decoy files detectadversary gained initial access or if they’re usingexfiltration attempts. Data loss preventionAD Explorer to enumerate users or running ainspects outgoing traffic and evaluatesscan. A deception alert going off is proof ofdestinations to stop adversaries from stealingmalicious intent.sensitive data.This intrinsic high-fidelity, low-false positive If you already use ZPA, configure theproperty of deception alerts—combined withconditional access policy to contain attacks andthe threat reduction and mitigation of a layeredblock access to the rest of the environment.About Zscaler Zscaler (NASDAQ: ZS) accelerates digital transformation so that customers can be more agile, efficient, resilient,and secure. The Zscaler Zero Trust Exchange protects thousands of customers from cyberattacks and data lossby securely connecting users, devices, and applications in any location. Distributed across more than 150 datacenters globally, the SASE-based Zero Trust Exchange is the world’s largest inline cloud security platform. Learnmore at zscaler.com or follow us on Twitter @zscaler. 1 408.533.0288Zscaler, Inc. (HQ) 120 Holger Way San Jose, CA 95134 2022 Zscaler, Inc. All rights reserved. Zscaler ,Zero Trust Exchange , Zscaler Internet Access ,ZIA , Zscaler Private Access , and ZPA areeither (i) registered trademarks or service marksor (ii) trademarks or service marks of Zscaler,Inc. in the United States and/or other countries.Any other trademarks are the properties of theirrespective owners.zscaler.com
Zscaler (NASDAQ: ZS) accelerates digital transformation so that customers can be more agile, efficient, resilient, and secure. The Zscaler Zero Trust Exchange protects thousands of customers from cyberattacks and data loss by securely connecting users, devices, and applications in any location.
