Lapsus$

An area of strength of the Lapsus$ group is their intrusion techniques. The group does not use any sophisticated techniques to get inside networks and systems, instead, they leverage well-known strategies that include the use of a credential stealer malware called “Redline”, social engineering tactics, and the purchase of stolen passwords and session tokens on the DarkWeb. The group also frequently attempts to hire insiders from target companies. In one case, the group offered employees at Verizon and AT&T as much as $20,000 a week to aid in the criminal operation.

While Lapsus$ has gained infamy through its attacks on major corporations, users of on the DarkWeb forums have been exposing the group, especially on one of its members. On the Russian DarkWeb forum “.XSS”, a threat actor under alias “UnknownDeath” created a thread trouncing on one of the Lapsus$ members.

From Perimeter Watch Threat Intelligence Team’s investigation, UnknownDeath is talking about the database of DoxBin. DoxBin is a community website where hackers “dox” anyone they want, but mostly aimed towards other threat actors or hackers. Doxing is a term used to publish private or identifying information about a specific individual on the internet, mostly for malicious intent. Apparently, one of the members of Lapsus$, under the alias of “White”, was a former owner of the DoxBin website, but because of White’s mismanagement the website began to lose popularity. Before selling DoxBin back to its original owners, White released the database of DoxBin users out of spite. Doing so, White became public enemy number one amongst the members of DoxBin. The currently owner of DoxBin has published a dox of White, with information including name, emails, passwords, family members, etc.

Evidence shows that the Lapsus$ group may not be seasoned hackers. Instead, the group may be a group of teenagers ranging from ages 16 to 21. One evidence is the doxing of White, a member of Lapsus$. In the dox, it is mentioned that White is a 16-year-old teenager from the United Kingdom. Also evident is the organization and activity of the Lapsus$ group. Unlike most ransomware gangs who uses a shame blog website to post stolen data, Lapsus$ post all their activity and leaks on their Telegram Channel. They announce their target and then shares leaks almost immediately once they exfiltrate the data, thus, giving no time for their victim’s to even pay a ransom. This behavior indicates that the group’s goal may not be financial, instead, they are doing this for the thrill, which illustrates how young the threat actors are. Many cyber security researchers also believe the gang is formed by a group of teenagers. In fact, it is currently believed that the leader of the group is White, the 16-year-old from the United Kingdom. If true, it would make sense considering the dysfunction of the group is like White’s mismanagement of DoxBin. Considering he was easily doxed by his adversaries, White’s security operations (SecOp) has been relatively poor and that has trickled down to Lapsus$ SecOps, which has been continuously mentioned as “garbage” by users on the DarkWeb forums. Lapsus$ poor SecOps has led to a recent arrest in London of seven of their members, however, it is currently unclear if they are indeed related to Lapsus$ as the group has posted in their Telegram channel that the arrests of seven teenagers have no relation to them.