The new APT is the Advanced Persistent Teenagers

The new juvenile data extortion group, LAPSUS$, has taken big organizations by surprise with their anti conventional techniques and tactics, not present in common playbooks today

Emerged in late 2021, LAPSUS$ has compromised some of the world’s largest technology companies including Microsoft, NVIDIA, Okta and Samsung.

The LAPSUS$ group attacks a target to silently breach sensitive data or source code and then threatens to release it unless a ransom is paid.

A Microsoft report highlights how the group uses old-fashioned techniques based on social engineering to recruit internal personnel to provide remote access credentials or to trick customer support employees to reset credentials or provide information.

The surprise is that the LAPSUS$ group has members aged 15 to 21 years old ... they operate with a minimal budget and they are not stealthy like normal state-sponsored APT groups would normally be. The group not only doesn't hide its tracks, but in many cases it announces its compromises on social media !

The main risk of these smash-and-grab groups like LAPSUS$ is their ability to extract the maximum amount of sensitive information from their victims using compromised user accounts that typically have a short lifespan. 

Organizations should threat model their operating procedures to identify weak areas that could be targeted through social engineering attacks, for gaining access to admin or remote access credentials through which the attacker can gain access and then exfiltrate sensitive infirmation.

The Krebs on Security article
The Microsoft report