Many organizations victimized by the Lapsus$ extortion gangs through SIM swapping and tricking employees through social engineering have only themselves to blame for being hacked, suggests a U.S. government report.
The report released Thursday by the Cyber Safety Review Board, a branch of the Department of Homeland Security, had unkind things to say about companies, telecom carriers, and the reliance on easily-bypassed text-based SMS systems for multifactor authentication (MFA).
“Lapsus$ made clear just how easy it was for its members (juveniles, in some instances) to infiltrate well-defended organizations,” the report says in part. “Lapsus$ exploited systemic ecosystem weaknesses to infiltrate and extort organizations, sometimes appearing to do so for nothing more than attention and public notoriety.”
Attacks linked to Lapsus$ and associated groups include:
— accessing one organization’s enterprise tools, including SaaS applications that contained source code and customer data, such as Atlassian, Cloudflare, and Slack;
— stealing source code from a telecommunications provider. This is possibly a reference to an attack on T-Mobile;
— stealing 200 gGB of corporate data from a Kansas-based surgical and rehabilitation center;
— stealing approximately 37 GB of source code for over 250 projects from a technology company, after which Lapsus$ made it available for download in an online torrent posted on its Telegram channel. This appears to be a reference to a Microsoft hack;
— stealing and publishing source code for two flagship games from a gaming company, including related assets from the company’s Confluence and Slack servers;
— and stealing and deleting 50 TB of data, including a COVID-19 database, from a non-U.S. government agency.
“Among its findings,” the agency said in a news release accompanying the report, “the Board saw a collective failure across organizations to account for the risks associated with using text messaging and voice calls for multi-factor authentication.”
In one example cited by the report, in January 2022 the gang gained access to privileged internal tools of an unnamed third-party service provider by compromising the computer of a customer support contractor from one of its business process outsourcers. The real
target of this attack was not the third-party service provider, nor the outsourcer, but the downstream customers of the service provider.
“This is a remarkable example of a creative three-stage supply chain attack used by this
class of threat actors,” the report says.
Although the service provider isn’t named, it is similar to the widely-reported 2022 compromise of a contractor of identity and access manager Okta.
One tactic of the gang: Impersonating police and making fraudulent Emergency Disclosure Requests to wireless carriers to obtain sensitive information about targets.
Some of that information enabled SIM swapping by convincing a carrier — or hacking the account of a carrier’s customer support staff — to switch a target’s mobile phone number to smartphones controlled by the gang. Then it could intercept SMS and voice calls and receive MFA-related messages that control access to online email and bank accounts.
The report describes Lapsus$ as a loosely organized group, which included several juveniles, based mainly in the U.K. and Brazil. It had eight to 10 known members as of April 2022. The previous month, police in England arrested seven individuals in connection with Lapsus$. Two juveniles were charged. In September, U.K. police arrested a 17-year-old on suspicion of hacking. Media reports quoted experts believing the three arrests were related to Lapsus$’s attacks against technology and gaming companies. Then, in October, Brazilian police said they had arrested a Brazilian national suspected of belonging to Lapsus$.
Since then, Lapsus$ activity has disappeared. The report’s authors say they can’t rule out the possibility that other gang members are lying low.
Among the board’s recommendations:
— organizations must “urgently” implement improved access controls and authentication methods, and transition away from voice and SMS-based MFA. It’s a recommendation experts have been making for years. “Those methods are particularly vulnerable,” says the report. Instead, organizations should adopt easy-to-use, secure-by-default, passwordless solutions such as Fast IDentity Online (FIDO)2-compliant, phishing-resistant MFA methods.
To facilitate the transition to passwordless authentication, the board recommends Washington develop a secure authentication roadmap for the U.S.;
— carriers should implement more stringent authentication methods to prevent fraudulent SIM swapping;
— organizations should prioritize resiliency and fast recovery to defend against SIM swapping attacks;
— organizations should plan for disruptive cyber intrusions by requiring their whole business, including outside suppliers, to invest in prevention, detection, response, and recovery capabilities;
— Congress should support the creation of “whole-of-society” programs and mechanisms to prevent juvenile cybercrime.
Lapsus$ was not successful in all its attempted attacks, the report adds. Organizations with mature, defense-in-depth controls were most resilient to these threat actor groups. Organizations that used application or token-based MFA methods or employed robust network intrusion detection systems, including rapid detection of suspicious account activity, were especially resilient.
“Organizations that maintained and followed their established incident response procedures significantly mitigated impacts,” the report noted. “Highly effective organizations employed mechanisms such as out-of-band communications that allowed incident response professionals to co-ordinate response efforts without being monitored by the threat actors.”
“We need better technologies that move us towards a passwordless world, negating the effects of credential theft,” the report concludes. “We need telecommunications providers to design and implement processes and systems that keep attackers from hijacking mobile phone service. We need to double down on zero trust architectures that assume breach. We need organizations to design their security programs to cover not only their own information technology environments, but also those of their vendors that host critical data or maintain direct network access. We need to give law enforcement the means to disrupt all manner of threat actors. And we need to help curious young people use their growing digital skills for positive purposes.”
