LUCR-3 overlaps with teams similar to Scattered Spider, Oktapus, UNC3944, and STORM-0875 and is a financially motivated attacker that leverages the Identification Supplier (IDP) as preliminary entry into an surroundings with the aim of stealing Mental Property (IP) for extortion. LUCR-3 targets Fortune 2000 corporations throughout numerous sectors, together with however not restricted to Software program, Retail, Hospitality, Manufacturing, and Telecoms.

LUCR-3 doesn’t rely closely on malware and even scripts; as a substitute, LUCR-3 expertly makes use of victims’ personal instruments, functions, and assets to realize their objectives. At a excessive degree, Preliminary Entry is gained via compromising current identities within the IDP (Okta: Identification Cloud, Azure AD / Entra, Ping Identification: PingOne). LUCR-3 makes use of SaaS functions similar to doc portals, ticketing techniques, and chat functions to find out how the sufferer group operates and find out how to entry delicate data. Utilizing the info they gained from reconnaissance inside the SaaS functions, they then perform their mission of knowledge theft. Information theft is usually centered on IP, Code Signing Certificates, and buyer information.

Attacker Attributes

Highlights

• LUCR-3 attribution is tough. Many people within the Cyber Intelligence group have even begun to trace the person personas individually. Additional complicated attribution, some LUCR-3 personas look like associates of ALPHV with entry to deploy BlackCat ransomware.
• Very similar to LUCR-1 (GUI-Vil), LUCR-3 tooling, particularly in Cloud, SaaS, and CI/CD, largely makes use of net browsers and a few GUI utilities similar to S3 Browser. Leveraging the native options of functions, similar to any worker would do, to hold out their aim.
• LUCR-3 closely targets the IDPs for Preliminary Entry. Shopping for creds from widespread marketplaces and bypassing MFA by way of SIM swapping, social engineering, and push fatigue.
• LUCR-3 does its homework on its preliminary entry victims, selecting identities that may have elevated privileges and even guaranteeing they supply from comparable geolocation as their sufferer identities to keep away from not possible journey (geo disparity) alerts.
• LUCR-3 will make the most of the sufferer organizations software program deployment options, similar to SCCM, to deploy specified software program to focus on techniques.

Mission

LUCR-3 is a financially motivated risk actor that makes use of information theft of delicate information (IP, Buyer information, Code Signing Certificates) to aim extortion. Whereas extortion calls for do range, they’re typically within the tens of tens of millions of {dollars}. Some personas inside LUCR-3 will typically collaborate with ALPHV to hold out the extortion part of the assault.

Tooling

LUCR-3 makes use of largely Home windows 10 techniques operating GUI utilities to hold out their mission within the cloud. Utilizing the native options of SaaS functions similar to search, LUCR-3 is ready to navigate via a company with out elevating any alarms. In AWS, the risk actor routinely leverages the S3 Browser (model 10.9.9) and the AWS administration console (by way of an internet browser). LUCR-3 makes use of AWS Cloudshell inside the AWS administration console to hold out any exercise that requires direct interplay with the AWS API.

Victimology

LUCR-3 typically targets massive (Fortune 2000) organizations which have Mental Property (IP) that’s helpful sufficient that sufferer organizations are prone to pay an extortion payment. Software program corporations are a typical goal as they purpose to extort a payment associated to the theft of supply code in addition to code signing certificates. LUCR-3 will typically goal organizations that may be leveraged in a provide chain assault in opposition to others. Identification Suppliers and their outsourced companies corporations are steadily focused as a singular compromise of one in every of these entities will enable for entry into a number of different organizations. In latest months, LUCR-3 has expanded its focusing on into sectors they have not beforehand centered as a lot on, similar to hospitality, gaming, and retail.

Attacker Lifecycle

AWS Attacker Lifecycle

Preliminary Recon

LUCR-3 does their homework when deciding on their goal sufferer identities. They guarantee they’re focusing on customers that may have the entry they should perform their mission. This consists of however shouldn’t be restricted to Identification Admins, Builders, Engineers, and the Safety crew.

They’ve been recognized to leverage credentials that had been out there in widespread deep net marketplaces.

Preliminary Entry (IA)

LUCR-3’s preliminary entry into an surroundings is gained via compromised credentials. They don’t seem to be performing noisy actions like password spraying to seek out passwords. Once they join, they have already got a reputable password to make use of. The standard strategy for them is:

1. Establish credentials for the meant sufferer identification

• Purchase credentials from widespread deepweb marketplaces
• Smishing victims to gather their credentials
• Social engineering assist desk personnel to realize entry to the credentials

2. Bypass Multi-factor Authentication (MFA)

• SIM Swapping (when SMS OTP is enabled)
• Push Fatigue (when SMS OTP shouldn’t be enabled)
• Phishing assaults with redirects to reputable websites the place OTP codes are captured and replayed
• Purchase or social engineer entry from an insider (final resort)

3. Modify MFA settings

• Register a brand new machine
• Add different MFA choices

When LUCR-3 modifies MFA settings, they typically register their very own cell machine and add secondary MFA choices similar to emails. Indicators to observe for listed below are:

• When a consumer registers a tool that’s in a distinct ecosystem than their earlier machine (Android to Apple for instance)
• When a consumer registers a brand new machine that’s an older mannequin than their earlier machine
• When a single telephone (machine ID) is assigned to a number of identities
• When an exterior electronic mail is added as a multi-factor possibility

Recon (R)

R-SaaS

As a way to perform their aim of knowledge theft, ransom, and extortion, LUCR-3 should perceive the place the vital information is and find out how to get to it. They carry out these duties very like any worker would. Looking via and viewing paperwork in numerous SaaS functions like SharePoint, OneDrive, information functions, ticketing options, and chat functions permits LUCR-3 to study an surroundings utilizing native functions with out setting off alarm bells. LUCR-3 makes use of search phrases focused at discovering credentials, studying concerning the software program deployment environments, code signing course of, and delicate information.

R-AWS

In AWS, LUCR-3 performs recon in a number of methods. They may merely navigate across the AWS Administration Console into companies like Billing, to grasp what sorts of companies are being leveraged, after which navigate every of these companies within the console. Moreover, LUCR-3 desires to know what packages are operating on the compute techniques (EC2 situations) in a company. Leveraging Techniques Supervisor (SSM), LUCR-3 will run the native AWS-GatherSoftwareInventory job in opposition to all EC2 situations, returning the software program operating on the EC2 situations. Lastly, LUCR-3 will leverage the GUI utility S3 Browser together with a long-lived entry key to view out there S3 buckets.

Privilege Escalation (PE)

LUCR-3 typically chooses preliminary victims who’ve the kind of entry mandatory to hold out their mission. They don’t at all times have to make the most of privilege escalation strategies, however we’ve noticed them accomplish that every so often in AWS environments.

PE-AWS

LUCR-3 has utilized three (3) most important strategies for privilege escalation in AWS:

1. Coverage manipulation: LUCR-3 has been seen modifying the coverage of current roles assigned to EC2 situations ( ReplaceIamInstanceProfileAssociation ) in addition to creating new ones with a full open coverage.
2. UpdateLoginProfile: LUCR-3 will replace the login profile and, every so often, create one if it does not exist to assign a password to an identification to allow them to leverage it for AWS Administration Console logons.
3. SecretsManager Harvesting: Many organizations retailer credentials in SecretsManger or Terraform Vault for programmatic entry from their cloud infrastructure. LUCR-3 will leverage AWS CloudShell to scrape all credentials which might be out there in SecretsManager and comparable options.

Set up Persistence/ Preserve Presence (EP)

LUCR-3, like most attackers, desires to make sure that they’ve a number of methods to enter an surroundings within the occasion that their preliminary compromised identities are found. In a contemporary cloud world, there are lots of methods to realize this aim, and LUCR-3 employs a myriad to keep up its presence.

EP-AzureAD/Okta

After having access to an identification within the IDP (AzureAD, Okta, and so forth.), LUCR-3 desires to make sure they will simply proceed to entry the identification. So as to take action, they are going to typically carry out the next actions:

1. Reset/Register Issue: LUCR-3 will register their very own machine to ease their capacity for continued entry. As talked about beforehand, look ahead to ecosystem switches for customers in addition to single gadgets which might be registered to a number of customers.
2. Alternate MFA: Many IDPs enable for alternate MFA choices. LUCR-3 will reap the benefits of these options to register exterior emails as an element. They’re sensible about selecting a reputation that aligns with the sufferer’s identification.
3. Robust Authentication Kind: In environments the place the default setting is to not enable for SMS as an element, LUCR-3 will modify this setting if they can. In AzureAD, you possibly can monitor for this by on the lookout for the StrongAuthenticationMethod altering from a 6 (PhoneAppOTP) to a 7 (OneWaySMS)

EP-AWS

To keep up persistence in AWS, LUCR-3 has been noticed performing the next:

1. CreateUser: LUCR-3 will try and create IAM Customers when out there. They select names that align with the sufferer identification they’re utilizing for preliminary entry into the surroundings.
2. CreateAccessKey: LUCR-3 will try and create entry keys for newly created IAM Customers in addition to current IAM Customers that they will then use programmatically. Like GUI-Vil (LUCR-1), the entry keys which might be created are sometimes inputted into the S3 Browser to work together with S3 buckets.
3. CreateLoginProfile / UpdateLoginProfile: LUCR-3, when attempting to be extra stealthy or when they don’t have entry to create new IAM customers, will try and create or replace login profiles for current customers. Login profiles are what assign a password to an IAM Consumer and permit for console entry. This system additionally lets the attacker acquire the privileges of the sufferer’s identification.
4. Credential Harvesting: As talked about beforehand, LUCR-3 finds nice worth in harvesting credentials from credential vaults similar to AWS SecretsManager and Terraform Vault. These typically retailer credentials not only for the sufferer organizations but in addition credentials that will enable entry to enterprise companions, know-how integrations, and even shoppers of the sufferer group.
5. Useful resource Creation: Lastly, LUCR-3 will create or take over current assets, similar to EC2 situations that may be leveraged for entry again into the surroundings in addition to a staging space for instruments and information theft as wanted.

EP-SaaS

LUCR-3 will use all of the functions out there to them to additional their aim. In ticketing techniques, chat packages, doc shops, and information functions, they are going to typically carry out searches on the lookout for credentials that may be leveraged throughout their assault.

Moreover, many of those functions enable the creation of entry tokens that can be utilized to work together with the SaaS functions API.

EP-CI/CD

LUCR-3 will even generate entry tokens for interacting with the APIs of your code repositories, similar to GitHub and GitLab.

Protection Evasion (DE)

We have now noticed that LUCR-3 considerably focuses on protection evasion ways in numerous environments. That is clearly to keep away from detection so long as attainable till they’re certain they’ve achieved their mission aims and are able to carry out ransom and extortion actions. They accomplish this via a number of means relying on the kind of surroundings they’re in.

DE-AWS

LUCR-3 employs largely widespread protection evasion strategies in AWS, with a few distinctive flares.

1. Disable GuardDuty: LUCR-3 will carry out the standard deletion of GuardDuty detectors but in addition tries to make it more durable so as to add again to the org degree by deleting invites. That is completed via the next three instructions: DisassociateFromMasterAccount, DeleteInvitations, DeleteDetector
2. Cease Logging: LUCR-3 additionally makes an attempt to evade AWS detections by performing DeleteTrail and StopLogging actions.
3. Serial Console Entry: This can be giving LUCR-3 an excessive amount of credit score, however we’ve noticed them EnableSerialConsoleAccess for AWS accounts they’ve compromised after which try to make use of EC2 Occasion Hook up with SendSerialConsoleSSHPublicKey which is able to try to ascertain a serial connection to a specified EC2 occasion. This may be leveraged to keep away from community monitoring, as serial connections are hardware-based.

DE-AzureAD/Okta

LUCR-3 clearly understands that one of many extra widespread detections in place for IDPs is to watch and alert on not possible journey. To keep away from these not possible journey detections, LUCR-3 will be sure that they supply from an identical geolocation as their sufferer identification. This appears to be largely completed by way of using residential VPNs.

DE-M365/Google Workspace

A few of LUCR-3’s actions in an surroundings, similar to producing tokens and opening up assist desk tickets, trigger emails to be despatched to the victims’ mailboxes. LUCR-3, already sitting in these mailboxes, will delete the emails to keep away from detection. Whereas electronic mail deletion by itself is a really weak sign, on the lookout for electronic mail deletions by way of the online model of Outlook with delicate phrases like OAuth, entry token, and MFA may convey to gentle larger constancy indicators to comply with.

Full Mission (CM)

LUCR-3 has one aim: monetary acquire. They do that largely via extortion of delicate information that they’ve collected by way of the native instruments of the sufferer organizations’ SaaS and CI/CD functions. In AWS, that is completed by information theft in S3 and in database functions similar to Dynamo and RDS.

Whereas within the SaaS world, they full their mission by looking out and downloading paperwork and net pages by way of a conventional net browser.

On the CI/CD facet, LUCR-3 will use the clone, archive, and consider uncooked options of Github and Gitlab to view and obtain supply information.

Indicators

Detections

Permiso shoppers are protected by the next detections: