The Cyber Safety Review Board (CSRB) has recently shared details of the tactics, techniques, and procedures used by the Lapsus$ threat group and has made several recommendations for hardening defenses and building resilience.
The CSRB was established by the Biden Administration to improve the nation’s cybersecurity and has been tasked with reviewing significant cyber attacks and providing actionable recommendations for critical infrastructure entities to help them harden their defenses. The CSRB worked with more than 40 organizations to obtain insights into attacks by the Lapsus$ hacking group in order to make its recommendations.
Lapsus$ has conducted many attacks on companies and government agencies and the group is believed to pose a significant threat to the healthcare sector. The group is thought to be a loosely affiliated group of hackers, most of which are teenagers and young adults. Lapsus$ tends to use low-cost techniques and exploits known vulnerabilities in the identity and access management ecosystem to gain access to networks, then steals data such as source code, and issues demands for payment. Lapsus$ has attacked dozens of companies and government agencies since 2021.
The CSRB found that the multi-factor authentication implementations currently in use are not sufficient to protect against attacks and the risks associated with SMS messages and voice calls have not been properly mitigated by many companies. Threat actors such as Lapsus$ have been able to successfully gain initial access to victims’ networks through Subscriber Identity Module (SIM) swapping attacks and there are currently insufficient security protocols in the United States to prevent fraudulent SIM swapping.
Several successful Lapsus$ attacks have targeted third-party service providers, exploiting weaknesses and then abusing the privileged access that service providers have to their clients’ networks to attack their intended targets. The CSRB found many examples of companies failing to incorporate third-party service providers and business process outsourcers (BPOs) into their risk management programs, which made it easy to breach service providers and then attack their downstream clients.
CSRB also noted that due to the age of the members of the group, the consequences of attacks are less severe, so much so that there is little deterrent to joining these hacking groups. There are few cyber-specific intervention programs for diverting potential offenders into legitimate cybersecurity activities.
The CSRB made several recommendations, including moving towards passwordless authentication, prioritizing efforts to reduce the efficacy of social engineering and phishing, adopting zero-trust architectures, hardening the security at BPOs and client companies, building resiliency against illicit SIM swapping, and for law enforcement, industry, and international partners to advance programs and mechanisms for juvenile cybercrime prevention and intervention.