[Update]Detailed Analysis of LAPSUS$ Cybercriminal Group that has Compromised Nvidia, Microsoft, Okta, and Globant

mins read time
[Update]Detailed Analysis of LAPSUS$ Cybercriminal Group that has Compromised Nvidia, Microsoft, Okta, and Globant
Published on
April 4, 2022
Blog Image
Source: A1Industry: IT & TechnologyRegion: USACategory: Adversary Intelligence

Executive Summary

  • Update: Lapsus$ ransomware group’s recent target is IT and software giant Globant. This article has been updated with the analysis of the attack on Globant, which came to light on 30 March 2022.
  • CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post on Telegram, sharing the Nvidia employee credentials, Samsung’s Source code along with that the latest addition to those already high profile targets are Microsoft’s Cortana and Bing’s Source code and Okta the SSO giant’s customer data was exfiltrated. 
  • Lapsus$ ransomware gang claimed to have compromised Nvidia and now targets Samsung with the breach. Further claiming to have gained access to source code used in Samsung Galaxy smartphones, Okta’s Customer data etc.
  • The ransomware gang leaked source code, dehashed credentials, code signing certificates and source code to the driver. The leaked data unlocks the potential for threat actors to gain unauthorized access to personal, proprietary, and Intellectual Property (IP) data of Nvidia and they have also leaked 90% source code of Bing Maps, Bing and Cortana claiming to be at 45%.
  • While writing this report, we have discovered that PII (Personally Identifiable Information) or dox Information related to the Lapsus$ ransomware gang was released at a Russian language cybercrime forum.
This screenshot was posted on the telegram group and while analyzing closely we can see that they have access to Jira, Slack, G-Suite and other internal applications as well. RDP access is being used in the screenshot
This screenshot was posted on the telegram group and while analyzing closely we can see that they have access to Jira, Slack, G-Suite and other internal applications as well. RDP access is being used in the screenshot

Analysis and Attribution

Information from the Telegram

On 22nd March, 2022 the group claimed to leak Bing Maps, Bing and Cortana source code. Our threat Intelligence team has confirmed that these claims are true, shortly after there were official blogs from Microsoft and Okta confirming the breach.

Original Perpetrators of Breach

The LAPSUS$ cyber-criminal group has been known to exploit the weakest link in the security chain of a corporate network: Human mistakes and bad practices

They achieve initial access using the following tactics:

  • Redline Malware stealer logs, which can be understood here
  • Popular market places like amigos, russian-market to get logs, credentials and session tokens to get access.
  • They are known to pay insiders to provide them with VPN, VDI(citrix), Identity providers and even RDP access
Lapsus Recruitment Post
Lapsus Recruitment Post
  • Publicly available secrets on github/gitlab repositories

The next steps involve Privilege escalation and Post Exploitation:

  • Exploiting existing vulnerabilities which include unpatched versions of Jira, confluence, Fortiguard, Microsoft exchange servers etc.. We have created a list of curated vulnerabilities that they target
  • Accessing version control systems and looking at private repositories to gain access to secrets and gems
  • They also access mailboxes/collaboration software like slack to get access to credentials being shared in plain text.
They have highlighted the post exploitation steps they took as a part of response to Okta’s latest blog.
They have highlighted the post-exploitation steps they took as a part of the response to Okta’s latest blog.

Microsoft Leak Analysis:

Microsoft in an official blog today has stated the following:

“This week, the actor made public claims that they had gained access to Microsoft and exfiltrated portions of source code. No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity. Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.”

The leak contains 56484 directories, 333743 files and the source code for Cortana, Bing Maps and Bing. The aggregate size of the data leaked is 37.8 GB.

The leak also contains multiple sensitive endpoints like the one mentioned in the above screenshot. Similarly there are 135 .pfx files which are present in the leak. A pfx file contains the SSL certificate(public key) and the corresponding private key. These can in turn be used maliciously.

There are documentation files as well as internal pdf files:

By looking at the files we can conclude the following:

  • No customer data was affected
  • No PII was leaked
  • Source code along with certificates and pfx files were leaked
  • The Lapsus$ group is not very strong with Operational Security as they posted a Proof of Concept in the Telegram channel while the exfiltration was still underway

Okta Breach Analysis:

Okta has also released a statement earlier in the form of a blog stating:

“Okta detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider. As part of our regular procedures, we alerted the provider to the situation, while simultaneously terminating the user’s active Okta sessions and suspending the individual’s account. Following those actions, we shared pertinent information (including suspicious IP addresses) to supplement their investigation, which was supported by a third-party forensics firm.”
“After a thorough analysis of these claims, we have concluded that a small percentage of customers – approximately 2.5% – have potentially been impacted and whose data may have been viewed or acted upon. We have identified those customers and are contacting them directly. If you are an Okta customer and were impacted, we have already reached out directly by email. We are sharing this interim update, consistent with our values of customer success, integrity, and transparency”

In response to the above statement, Lapsus$ group has also released a message which can be summarized in the following points:

  • They were successful in breaching a Superuser/Admin account that had access to Slack, Jira, Confluence boards etc ..
  • It is suspicious that the customer support engineer had access to ~8.6k slack channels and internal applications.
  • They had access to internal AWS secret and key pairs/ other API keys as they were being shared in plain text over Slack and emails
  • The breached account had the ability to reset the Password and MFA of ~95% of their clientele 
The screenshot was shared by Lapsus as a POC claiming they had access to Slack and other applications.
The screenshot was shared by Lapsus as a POC claiming they had access to Slack and other applications.

Globant Leak Analysis:

Globant in an official confirmation has not contested the claim of Lapsus$. Globant released the following statement:

“We have recently detected that a limited section of our company’s code repository has been subject to unauthorized access. We have activated our security protocols and are conducting an exhaustive investigation. According to our current analysis, the information that was accessed was limited to certain source code and project-related documentation for a very limited number of clients. To date, we have not found any evidence that other areas of our infrastructure systems or those of our clients were affected”

The 70 GB data leak contains public and private keys (SSH and SSL) present in the leak asa part of their source code. It consists of the following information for a number of their clients:

Credential files leaked:

Sensitive information and PII leaked:

SQL files leaked:

Information from the Cyber Crime forum 

Lapsus Ransomware group emerged in early January 2022. 

  • The group is actively operating over their Telegram channel and engages with subscribers. They keep their subscribers updated on their upcoming data breaches and host polls. 
  • Recently, we came across a post on a Russian speaking cybercrime forum that mentioned PII as the operator of the Lapsus$ group. 
  • The doxed information shows a lot of personal information:
    • Name: Arion Kurtaj
    • Interests: Minecraft, Fishing, selling 0days
    • Age: 16 years
    • Potential Address: Spain
    • Nationality: British
    • DOB: February 19th, 2005
    • Personal Emails: 

[email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]

  • Aliases:

Common Vulnerabilities and Exposures(CVE)

Lapsus$ gang previously targeted an organization in Nepal and an investigation blog was published for the same mentioning the targeted CVEs. 

CVEs targeted by Lapsus$
CVE-2022-21702: XSS vulnerability in GrafanaCVE-2022-0510: XSS reflected in Packagist pimcore/pimcore prior to 10.3.1.
CVE-2022-0139: Use After Free in GitHub repository radareorg/radare2 prior to 5.6.0CVE-2021-45328: URL Redirection to Untrusted Site (‘Open Redirect’) via internal URLs
CVE-2021-45327: Trusting HTTP Permission Methods on the Server Side when referencing the vulnerable admin or user APICVE-2021-45326: CSRF vulnerability exists in Gitea before 1.5.2 via API routes
CVE-2021-45325: SSRF vulneraility exists in Gitea before 1.7.0 using the OpenID URLCVE-2021-44957: Global buffer overflow vulnerability exist in ffjpeg through 01.01.2021
CVE-2021-44956: Two Heap based buffer overflow vulnerabilities exist in ffjpeg through 01.01.2021CVE-2021-44864: TP-Link WR886N 3.0 1.0.1 Build 150127 Rel.34123n is vulnerable to Buffer Overflow
CVE-2021-34473: Microsoft Exchange Server Remote Code Execution VulnerabilityCVE-2021-31207: Microsoft Exchange Server Security Feature Bypass Vulnerability
CVE-2021-26858: Microsoft Exchange Server Remote Code Execution VulnerabilityCVE-2021-26857: Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-26855: Microsoft Exchange Server Remote Code Execution VulnerabilityCVE-2020-23852: A heap based buffer overflow vulnerability exists in ffjpeg through 2020-07-02
CVE-2020-23705: A global buffer overflow vulnerability through 2020-06-22CVE-2020-12812: An improper authentication vulnerability in SSL VPN in FortiOS
CVE-2019-5591: A Default Configuration vulnerability in FortiOSCVE-2018-13379: An Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) in Fortinet

Indicators of Compromise (IoCs)

Nvidia was targeted by Lapsus$ group last month. Subsequently, earlier this month, malware samples began to appear in the wild, signed with Nvidia certificates. Some of these samples have got very low detection on VirusTotal because of the legitimate certificates attached, and hence could pose a threat. Following are the malware samples signed with stolen certificates:

lapsus-group.com[email protected]

Impact & Mitigation

The published credentials could enable other threat actors to gain access to the organization’s networks. The exposed Personally Identifiable Information (PII) could enable threat actors to orchestrate social engineering schemes, phishing attacks, and even identity theft.  Since password reuse is a common practice, threat actors could leverage the exposed credentials to gain access to the users’ other accounts. Exposed IP addresses and login credentials can lead to potential account takeovers.The exposed confidential details could reveal business practices and intellectual property. Reset the compromised user login credentials and Implement a strong password policy for all user accounts. Check for possible workarounds and patches while keeping the ports open. Use MFA (multi-factor authentication) across logins.Patch all vulnerable and exploitable endpoints. Monitor for anomalies, in user accounts and systems, that could be indicators of possible takeovers.


Leaked Nvidia Drivers information shared by threat actor
Leaked Nvidia Drivers information shared by threat actor

Leaked Microsoft internal source code
Leaked Microsoft internal source code
Contributors to this Article
Author Image
Related Posts
Blog Image
November 4, 2023

Underground Marketplace Unveils New Ransomware Offering QBit with Advanced Encryption & Customization

On 23 October 2023, CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations.

Blog Image
September 8, 2023

Understanding Knight Ransomware: Advisory, Analysis

Cyclops, now renamed as Knight also known as Cyclops 2.0, debuted in May 2023. The Cyclops group has successfully developed ransomware that can infect all three major platforms: Windows, Linux, macOS, ESXi and Android.

Blog Image
May 22, 2023

Technical Analysis of ALPHV/BlackCat Ransomware

A thorough technical analysis of BlackCat ransomware, which has been causing havoc for organizations across the world. ALPHV, also known as BlackCat, is a ransomware family first seen in late 2021 and has been targeting multiple firms across industries.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.