The US Cyber Safety Review Board (CSRB) has published a comprehensive analysis of the Lapsus$ hacker group’s cyber extortion activities.
Over 40 entities, including domestic and international law enforcement agencies, threat intelligence firms, cybersecurity experts, and targeted organizations, participated in the joint collective effort.
The report highlighted simple but effective tactics the Lapsus$ hacking group used to compromise organizations and the existing security gaps enabling them.
The CSRB recommended various solutions, such as migration from password-based authentication and ditching SMS-based MFA, to seal the loopholes exploited by Lapsus$ and other threat actors.
Systemic failures enable the Lapsus$ hacker group’s cyber extortion activities
The report stated that the hacker group bypassed “commonly used security controls” to compromise well-resourced organizations such as Okta, Samsung, Ubisoft, Microsoft, and NVidia, among others, in 2021 and 2022.
“The Board examined how a loosely organized group of hackers, some of them teenagers, were consistently able to break into the most well-defended companies in the world,” said CSRB Chair and DHS Under Secretary for Policy Robert Silvers.
According to the report, the hacker group employed simple but effective techniques, such as phishing employees and stealing phone numbers to gain access.
“Lapsus$ and related threat actors are using basic techniques to gain an entry point into companies. Their primary attack vectors – SIM swap attacks and phishing employees – can be easily addressed, especially for companies like Microsoft and Okta that are so well-resourced,” reiterated Rosa Smothers, former CIA cyber threat analyst and current KnowBe4 executive.
The success of these techniques exposed “weak points in our cyber infrastructure” that could be exploited for future attacks, the report said.
Additionally, the report found “collective failure across organizations” in accounting for risks associated with SMS and call multi-factor authentication.
“We uncovered deficiencies in how companies ensure the security of their vendors; how cell phone carriers protect their customers from SIM swapping; and how organizations authenticate users on their systems,” Silvers said.
Over the years, the cyber extortion group targeted telecommunication employees to access the telecoms’ management portals and perform SIM swapping.
It also relied on malicious insiders, such as employees and contractors, recruited through bribery and other financial incentives. The report found that the hacker group paid up to $20,000 weekly to access SIM management portals.
After successful SIM swaps, the cyber extortion group used the stolen phone numbers to receive SMS-based multi-factor authentication and take over online accounts.
“This island hop is historic as their infrastructure was hijacked and used to launch attacks against their customers,” said Tom Kellermann, SVP of cyber strategy at Contrast Security. “For too long, telcos have underinvested in next-gen cybersecurity. They have been overly focused on defending against DDoS.”
Other security shortcomings the Lapsus$ hacker group exploited include unpatched vulnerabilities in widely used software products. The CSRB found that the cyber extortion group leveraged unpatched Microsoft Active Directory security vulnerabilities in 40-60% of its attacks.
Stopping Lapsus$ cyber extortion
Despite the extortion group’s success in compromising tech juggernauts like Microsoft, CSBR found that various security measures effectively stopped Lapsus$ hacks.
The report authors observed that “mature, defense-in-depth controls” managed to stop the cyber extortion group from gaining access or establishing persistence.
Organizations that succeeded in stopping the hacker group or gracefully mitigated its attacks had implemented application or token-based authentication, robust network intrusion detection systems, or followed established incident response procedures.
Subsequently, the report advised organizations to adopt securer and friendlier security solutions by going passwordless and adopting access management solutions.
“The digital ecosystem needs to prioritize moving beyond use of text-based strings for authentication,” said the CSRB.
The report authors also advised the Federal Communications (FCC), the Federal Trade Commission (FTC), and telecommunication companies to impose stricter identification requirements to combat SIM-swapping fraud.
“The FCC must modernize the cybersecurity standard for the sector and heavily find these companies,” Kellermann insisted.
Since mobile phones are an “essential component of the nation’s telecommunications practices,” the CSRB warned that “fraudulent SIM swaps undermine the security and reliability of the telecommunications ecosystem.”
Other recommendations include fighting social engineering, prioritizing resiliency and preparing for cyber intrusion, cooperating with law enforcement, incorporating cybersecurity in contractual language, and emphasizing the “whole-of-society” programs to deter juvenile cybercriminals.