Who is the Lapsus$ threat actor group and what are their methods?

Lapsus$ is a cybercriminal group identified as consisting of seven teenagers aged 16 to 21, led by a 16-year-old in England. They are known for non-encryption-based extortion, gaining access through social engineering (including bribery and phishing) and remote access tools. Instead of encrypting data, they steal it and demand ransom under threat of public release, often using platforms like Telegram. (Source: Cymulate Blog, Dec 31, 2024)

Which organizations were targeted by Lapsus$ in their attacks?

Lapsus$ has been confirmed to attack Nvidia, Microsoft, and Okta. Nvidia suffered a breach with stolen source code and driver signing certificates. Microsoft had some source code stolen, though it was not deemed a security risk for users. Okta's breach occurred via a partner's employee, potentially impacting 366 Okta customers. (Source: Cymulate Blog, Dec 31, 2024)

How did Lapsus$ gain access to their victims' systems?

Lapsus$ primarily used social engineering tactics, such as phishing and bribery, to gain access to victim systems. They leveraged remote desktop tools (like RDP) and exploited human factors, including employees granting access in exchange for payment. (Source: Cymulate Blog, Dec 31, 2024)

What role did Remote Desktop Protocol (RDP) play in the Lapsus$ attacks?

RDP and other remote access tools were used by Lapsus$ to connect to desktops, servers, and cloud instances. If misconfigured or left enabled unnecessarily, these tools can be exploited for unauthorized access, as seen in the Lapsus$ incidents. (Source: Cymulate Blog, Dec 31, 2024)

How did Lapsus$ extort their victims without encrypting data?

Unlike typical ransomware groups, Lapsus$ did not encrypt data. Instead, they stole sensitive information and threatened to release it publicly unless a ransom was paid, leveraging the risk of reputational and regulatory damage. (Source: Cymulate Blog, Dec 31, 2024)

What are the key takeaways from the Lapsus$ attacks for organizations?

The main lessons are: strictly control remote access tools, train employees on social engineering, invest in Data Loss Prevention (DLP) and Cloud Access Security Broker (CASB) solutions, and regularly test security controls to detect new gaps. (Source: Cymulate Blog, Dec 31, 2024)

How can organizations defend against social engineering attacks like those used by Lapsus$?

Organizations should provide comprehensive employee training on recognizing social engineering, phishing, and identity confirmation. Regular assessments can identify users needing more training, especially with tools that simulate lateral movement and advanced scenarios. (Source: Cymulate Blog, Dec 31, 2024)

Why is regular security validation important in preventing attacks like those by Lapsus$?

Attack techniques evolve rapidly, and changes in software, hardware, or staff can introduce new vulnerabilities. Regular security validation helps detect and remediate these gaps before attackers can exploit them. (Source: Cymulate Blog, Dec 31, 2024)

What is the risk of misconfigured remote access tools in enterprise environments?

Misconfigured or unnecessary remote access tools like RDP can provide attackers with unauthorized entry points to critical systems. Proper configuration and regular validation are essential to prevent exploitation. (Source: Cymulate Blog, Dec 31, 2024)

How can Breach and Attack Simulation (BAS) tools help defend against threats like Lapsus$?

BAS tools can test the security of RDP instances, simulate unauthorized access attempts, and assess endpoint security controls. This helps organizations identify and remediate weaknesses before attackers exploit them. (Source: Cymulate Blog, Dec 31, 2024)

What is the importance of Data Loss Prevention (DLP) and CASB solutions in modern cybersecurity?

DLP and CASB solutions restrict the movement of sensitive data, ensuring only authorized users can access it for approved purposes. This limits attackers' ability to exfiltrate data, even if they gain access to internal systems. (Source: Cymulate Blog, Dec 31, 2024)

How can organizations minimize damage from insider threats or collusion?

Implementing multi-layered defenses, ongoing validation of network and application protection, endpoint security, IAM, and DLP platforms can limit the damage caused by insider threats, even if a breach occurs. (Source: Cymulate Blog, Dec 31, 2024)

What is the value of continuous security validation for organizations?

Continuous security validation ensures that security controls are effective against evolving threats, helps detect cybersecurity drift, and enables timely remediation to maintain a strong security posture. (Source: Cymulate Blog, Dec 31, 2024)

How can Cymulate help organizations validate their security posture against threats like Lapsus$?

Cymulate provides Exposure Validation, Breach and Attack Simulation, and continuous security validation tools that test real-world attack scenarios, including RDP exploitation and social engineering. These tools help organizations identify and remediate vulnerabilities before attackers can exploit them. (Source: Cymulate Blog, Dec 31, 2024; Cymulate Platform)

What Cymulate demos are available to see how the platform addresses threats like Lapsus$?

Cymulate offers demos such as 'From Vulnerability to Validation', 'Threat Validation Demo', and 'From Control Validation to Exposure Validation', which showcase how the platform connects vulnerabilities to real attack scenarios and validates defenses against new threats. (Source: Cymulate Blog, Dec 31, 2024)

How does Cymulate Exposure Validation make advanced security testing easier?

Cymulate Exposure Validation centralizes advanced security testing, allowing users to build custom attack chains and validate defenses in one place. The platform is designed for ease of use and actionable insights. (Source: Cymulate Blog, Dec 31, 2024)

What is the recommended frequency for testing security controls?

It is recommended to test security controls monthly or more often, as attack techniques and organizational environments change rapidly, potentially introducing new vulnerabilities. (Source: Cymulate Blog, Dec 31, 2024)

How can organizations limit reputational and regulatory damage from breaches?

By implementing multi-layered defenses, ongoing validation, and robust data protection measures, organizations can limit what attackers can access, minimizing both reputational harm and regulatory intervention. (Source: Cymulate Blog, Dec 31, 2024)

What are the key features of the Cymulate platform?

Cymulate offers continuous threat validation, a unified platform combining Breach and Attack Simulation (BAS), Continuous Automated Red Teaming (CART), and Exposure Analytics, attack path discovery, automated mitigation, AI-powered optimization, complete kill chain coverage, ease of use, and an extensive threat library with over 100,000 attack actions updated daily. (Source: Cymulate Platform, Knowledge Base)

How does Cymulate help with exposure prioritization and remediation?

Cymulate validates exploitability and ranks exposures based on prevention and detection capabilities, business context, and threat intelligence, enabling organizations to focus on the most critical vulnerabilities and streamline remediation. (Source: Knowledge Base)

Does Cymulate integrate with other security technologies?

Yes, Cymulate integrates with a wide range of security technologies, including Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, Cisco Secure Endpoint, CrowdStrike Falcon, Wiz, SentinelOne, and more. For a full list, visit the Cymulate Partnerships and Integrations page. (Source: Knowledge Base)

How easy is Cymulate to implement and use?

Cymulate is designed for quick, agentless deployment with no need for additional hardware or complex configurations. Customers report that it is easy to implement and use, with actionable insights available after just a few clicks. (Source: Knowledge Base, Customer Testimonials)

What feedback have customers given about Cymulate's ease of use?

Customers consistently praise Cymulate for its intuitive interface, user-friendly dashboard, and actionable insights. Testimonials highlight its ease of implementation and the value of immediate, practical recommendations. (Source: Customer Testimonials)

What are the measurable benefits of using Cymulate?

Cymulate users have reported up to a 52% reduction in critical exposures, a 60% increase in team efficiency, an 81% reduction in cyber risk within four months, and the ability to validate threats 40 times faster than manual methods. (Source: Knowledge Base, Case Studies)

What security and compliance certifications does Cymulate hold?

Cymulate holds SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1 certifications, demonstrating adherence to industry-leading security and privacy standards. (Source: Knowledge Base)

How does Cymulate ensure data security and privacy?

Cymulate uses encryption for data in transit (TLS 1.2+) and at rest (AES-256), hosts data in secure AWS data centers, and follows a strict Secure Development Lifecycle (SDLC) with regular vulnerability scanning and third-party penetration testing. (Source: Knowledge Base)

Is Cymulate compliant with GDPR and other privacy regulations?

Yes, Cymulate incorporates data protection by design, has a dedicated privacy and security team, and is compliant with GDPR and other international privacy standards. (Source: Knowledge Base)

What is Cymulate's pricing model?

Cymulate uses a subscription-based pricing model tailored to each organization's needs. Pricing depends on the chosen package, number of assets, and scenarios required. For a detailed quote, organizations can schedule a demo with the Cymulate team. (Source: Knowledge Base)

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, red teams, and vulnerability management teams in organizations of all sizes and industries, including finance, healthcare, retail, media, transportation, and manufacturing. (Source: Knowledge Base)

How does Cymulate compare to other security validation platforms?

Cymulate stands out with its unified platform combining BAS, CART, and Exposure Analytics, continuous 24/7 validation, AI-powered optimization, ease of use, and measurable outcomes such as significant reductions in exposures and cyber risk. (Source: Knowledge Base)

What pain points does Cymulate address for different security roles?

Cymulate addresses communication barriers and unclear risk prioritization for CISOs, resource constraints and operational inefficiencies for SecOps, inadequate threat simulation for red teams, and vulnerability management inefficiencies for vulnerability teams. (Source: Knowledge Base)

What case studies demonstrate Cymulate's effectiveness?

Case studies include Hertz Israel reducing cyber risk by 81% in four months, a sustainable energy company scaling pen testing cost-effectively, and Nemours Children's Health improving detection in hybrid and cloud environments. More case studies are available on the Cymulate Customers page. (Source: Knowledge Base)

Where can I find Cymulate's latest news, research, and resources?

You can find the latest news, research, and resources on the Cymulate Blog, Newsroom, and Resource Hub. (Source: Knowledge Base)

Does Cymulate provide educational resources like a blog or glossary?

Yes, Cymulate offers a blog, a comprehensive glossary of cybersecurity terms, and a resource hub with whitepapers, webinars, and more. (Source: Knowledge Base)

What is Cymulate's mission and vision?

Cymulate's mission is to transform cybersecurity by enabling organizations to proactively validate defenses, identify vulnerabilities, and optimize their security posture. The vision is to foster a collaborative environment for lasting improvements in cybersecurity. (Source: Knowledge Base)

Lapsus$, Okta, Microsoft, and RDP – The Attack Success Factors

Last Updated: December 31, 2024

The week's biggest news story in cybersecurity is the alarming speed and reach of the Lapsus$ threat actor group. Quickly gaining access to the sensitive data of multiple enterprise organizations known for security and data control. Lapsus$ breached Nvidia at the beginning of March, with both Microsoft and Okta disclosing data thefts by the group in the last several days.

Let's look at the details of the attacks and what tools organizations can use to defend themselves.

Who is Lapsus$?

As of this writing, Lapsus$ members have been identified as seven teenagers aged 16 to 21, led by a 16-year-old living in his mother's home in England, and allegedly known by "White" and "Breachbase" aliases. Despite their young age, Lapsus$ ability to steal data and demand ransom netted them a few million dollars in Bitcoin and cryptocurrencies before they were identified. Bloomberg interviewed the presumed 16 Y.O. group leader's mother through her house intercom, and she claimed to have no idea that her son was engaged in hacking activities. Known by Microsoft as DEV-5037, Lapsus$ apparently started its operation by targeting the UK and South American organizations before spreading out its wings towards leading organizations in government, media, retail, telecommunications, technology, and healthcare globally.

Their preferred method relied on non-encryption-based extortion techniques applied after gaining access through social engineering methods (including luring employees to give them access against promises of payment) to obtain the ability to connect to victim systems with remote access tools. Once inside, they siphoned off whatever valuable data could be found with the access they had gained. Instead of encrypting the data for ransom, as is common in these types of attacks, they were leaving the data in place but held a copy by transmitting the data to their own servers. The company was then alerted to what data had been stolen and presented with a demand for payment on the threat of releasing the - typically secret and/or sensitive - data to the general public through the encrypted chat platform Telegram.

Who Have They Attacked?

To date, there are three confirmed and correlated attacks attributed to Lapsus$:

Nvidia

Nvidia was breached at some point before March 5th, 2022 - most likely in the days immediately preceding. Data stolen included source code for Nvidia products and the driver signing certificates used to validate authentic driver updates and other software. This is especially troubling as until Nvidia invalidated the certificates in question' both Lapsus$ and other threat actors could create malware packages and sign them with these stolen certificates, making them appear to be legitimate software and hardware driver update packages.

Microsoft

Microsoft disclosed that they were breached on or about March 20th. Lapsus$ stole some source code for Microsoft products, though Microsoft themselves have stated that the code stolen was not sufficient to cause a security issue for users of those products. 

Okta

Okta was also breached around the same time as Microsoft, but the attack and its fallout were a significantly more twisted tale. While Okta data was stolen, it was not stolen from Okta directly. Instead, Lapsus$ gained access to the desktop of a Customer Success Representative working for an Okta partner, who had access to some Okta administrative tools. This gave Lapsus$ access to sensitive information, and the possibility of endangering the Okta security of, 366 different Okta customers who used that specific partner. In short, while Okta's information was leaked, it was not obtained directly from Okta but rather through an intermediary.

The Attack Success Factors and Key Takeaways

Some common threads weave through all three of the Lapsus$ attacks we know about:  

The human factor - Social engineering seems to be the infiltration vector used in all three attacks. While it is not yet known if this was a traditional social engineering attack (e.g., phishing or other forms of deception) or if it was the corruption of an employee through bribery or other means; in all three cases, Lapsus$ gained access to systems by leveraging users and their equipment.
Data was not encrypted but only stolen. This is particularly worrisome as it means that if an insider was involved, the attackers could have maintained a presence (known as dwell time) for an indefinite period. While Data Loss Prevention techniques may have limited the ability to remove data from the environment, there would not be the obvious indicators traditionally seen in other recent attacks, such as large amounts of data suddenly being locked down by unauthorized encryption software or settings like backup protocols being altered.
Tools for Remote Desktop Access (such as the Remote Desktop Protocol or RDP) were used as part of the attack. RDP - both the official tools from Microsoft and 3rd-party tools - are common and used for legitimate operations such as technical support, remote server administration, etc. The problem is that if they are incorrectly configured or turned on by an offensive attack, they can also be used to gain access to desktops, laptops, servers, cloud instances, or anything else that answers an RDP request.

Fortifying Your Security Posture

First, strictly control any remote administration tools and services used by the organization, and ensure that any tools not required are fully disabled and stay disabled. Ensure that endpoint controls like EDR/XDR platforms recognize and block any remote access software installs that are not authorized by the organization. Breach and Attack Simulation tools can both test the security of existing RDP instances and allow you to attempt to enable and access RDP sessions in areas where they should not be usable (this is a tactic of Lapsus$ that has been observed recently). Endpoint Security Assessments can test EDR/XDR tools to ensure they trigger when faced with known remote access packages. 
Second, ensure that all employees are aware of social engineering techniques. This training should include how to identify a social engineering attack, how to detect phishing, how to confirm the identity of any person claiming to work for the organization and requesting access to their systems, and who should be alerted if any of these behaviors are witnessed during the workday or at any other time. While insider collusion cannot be ruled out in the case of the Lapsus$ attacks, the use of social engineering techniques to turn otherwise loyal employees into pawns of the attacker is incredibly common. Assessment tools can help identify where users may need more training, especially if they have Lateral Movement and Advanced Scenarios modules that can recognize an attempt to misuse identity components for unauthorized purposes - such as user token manipulation.
Third, invest in robust Data Loss Prevention and Cloud Security Access Broker (DLP and CASB) solutions. These tools restrict the movement of critical, sensitive, and/or confidential data so that only authorized users may access it, and only for authorized purposes - limiting an attacker's ability to remove data from the organization. Continuous security validation tools can confirm if tools are properly blocking the exfiltration of data in unauthorized ways.
Fourth, test your security controls regularly, preferably monthly or more often. Attack techniques change rapidly, and new gaps can open in an otherwise secure environment with little warning. Changes to software, hardware, procedures, and staff can also easily create new gaps in defenses. Testing regularly can allow you to detect this Cybersecurity "drift" quickly and take appropriate remediation action.

Closing Thoughts

It is not always possible to completely stop an attacker, especially if they have an employee assisting them in their attack. That being said, a multi-layered defense can limit the damage that can be caused by a threat actor group, even if they have an inside resource.

Proper implementation and ongoing testing and validation of network and application protection, endpoint security, Identity and Access Management, and Data Loss Prevention platforms can help to ensure that, even if a breach occurs, threat actors are unable to either destroy the information or remove it from your organization.

Or, at least, limit what they are capable of gaining access to and thereby minimizing the damage and the associated embarrassment of the brand, as well as regulatory intervention your organization is subjected to.

See how Cymulate can help your unique organization's environment with a persona demo today.

Table of Contents

Who is Lapsus$? The Attack Success Factors and Key Takeaways Fortifying Your Security Posture Closing Thoughts

Cymulate Exposure Validation makes advanced security testing fast and easy. When it comes to building custom attack chains, it's all right in front of you in one place.

Mike Humbert, Cybersecurity Engineer

DARLING INGREDIENTS INC.

Learn More

Featured Resources

View More Resources

blog

CVE-2026-26117: Hijacking Azure Arc on Windows for Local Privilege Escalation & Cloud Identity Takeover

CVE-2026-26117 lets attackers hijack Azure Arc on Windows, escalate to SYSTEM, and seize the machine’s cloud identity.

Demo

Exposure Validation Demo

Demo of automated offensive simulations validating detection, prevention, and IOC coverage