CSRB reports on global extortion-focused Lapsus$ hacker group, provides list of recommendations
The U.S. Department of Homeland Security (DHS) published Cyber Safety Review Board’s (CSRB) report summarizing the findings of its review into the activities associated with a threat actor group known as Lapsus$. The CSRB found that Lapsus$ and related threat actors used primarily simple techniques, like stealing cell phone numbers and phishing employees, to gain access to companies and their proprietary data. The report also outlined 10 actionable recommendations for how the government, companies, and civil society can better protect against Lapsus$ and similar groups.
The DHS announced last December that the CSRB will review the attacks associated with global extortion-focused Lapsus$ hacker group.
Established under President Biden’s Executive Order (EO) 14028 on ‘Improving the Nation’s Cybersecurity’, the CSRB was established last February and reviews major cyber events and makes concrete recommendations that would drive improvements. The CSRB offers a forum for government and industry experts to review cybersecurity events and provide recommendations. DHS and CSRB prioritize transparency and release public versions of reports, protecting sensitive information.
The latest report entitled ‘Review of the Attacks Associates with Lapsus$ and Related Threat Groups’ is the Board’s second review that examined the recent attacks associated with Lapsus$.
“Among its findings, the Board saw a collective failure across organizations to account for the risks associated with using text messaging and voice calls for multi-factor authentication. It calls for organizations to immediately switch to more secure, easy-to-use, password-less solutions by design,” according to a DHS media release. “The report also includes recommendations for cell phone carriers to better protect their customers by implementing stringent authentication methods, and for the Federal Communications Commission (FCC) and Federal Trade Commission (FTC) to mandate and standardize best practices to combat SIM swapping.”
“Our ability to protect Americans from cyber vulnerabilities has never been stronger thanks to the community we are building through the Cyber Safety Review Board,” Alejandro N. Mayorkas, secretary of Homeland Security, said. “As our threat environment evolves, so too must our detection and prevention capabilities. We must also evolve our ability to deploy those capabilities. The CSRB’s findings are not only timely, they are actionable and written with the guidance of real-world practitioners in the private sector.”
“The CSRB’s latest report reinforces the need for all organizations to take urgent steps to increase their cyber resilience, including the implementation of phishing-resistant multi-factor authentication,” according to Jen Easterly, Cybersecurity and Infrastructure Security Agency (CISA) director. “I look forward to working with our federal and industry partners to act on the CSRB’s recommendations, to include continuing our secure-by-design work with technology manufacturers to ensure that necessary security features are provided to customers without additional cost.”
“The Board examined how a loosely organized group of hackers, some of them teenagers, were consistently able to break into the most well-defended companies in the world,” Robert Silvers, CSRB chair and DHS under secretary for policy, said. “We uncovered deficiencies in how companies ensure the security of their vendors; how cell phone carriers protect their customers from SIM swapping; and how organizations authenticate users on their systems. The Board put forward specific recommendations to address these issues and more, in line with the Board’s mandate to conduct comprehensive after-action reviews of the most significant cyber incidents.”
The first CSRB report covered the Log4j-based attacks on critical infrastructure systems, which disclosed that the board was not aware of any significant attacks. It added that organizations who responded most effectively to the Log4j event understood their use of Log4j and had technical resources and mature processes to manage assets, assess risk, and mobilize their organization and critical partners to action. However, few organizations could execute this kind of response or the speed required during this incident, causing delays in their assessment of the risk and their management of it.
Beginning in late 2021 and late into 2022, Lapsus$ reportedly employed techniques to bypass a range of commonly used security controls and successfully infiltrated dozens of well-resourced organizations, the agency said in its latest report. The CSRB engaged with nearly 40 organizations and individuals — including representatives from threat intelligence firms, incident response firms, targeted organizations, international law enforcement organizations, as well as individual researchers and subject matter experts, and companies targeted in the attacks — to better understand the incidents and recommend safety improvements for the future.
The CSRB found that Lapsus$ leveraged simple techniques to evade industry-standard security tools that are a lynchpin of many corporate cybersecurity programs and outlined 10 actionable recommendations for how government, companies, and civil society can better protect against Lapsus$ and similar groups.
The CSRB review detailed that Lapsus$ employed low-cost techniques, well-known and available to other threat actors, revealing weak points in cyber infrastructure that could be vulnerable to future attacks. The Board found that the multi-factor authentication (MFA) implementations used broadly in the digital ecosystem are not sufficient for most organizations or consumers. In particular, the Board saw a collective failure to sufficiently account for and mitigate the risks associated with using Short Message Service (SMS) and voice calls for MFA.
Threat actors can gain initial access to targeted organizations through Subscriber Identity Module (SIM) swapping attacks, which are exacerbated by a lucrative SIM swap criminal market, the report disclosed. “Current security protocols in the U.S. are not sufficient to prevent fraudulent SIM swapping. Many companies do not sufficiently consider third-party service providers and business process outsourcers (BPOs) in their risk management programs, enabling threat actors to exploit client relationships and conduct downstream attacks.”
It added that the juvenile status of certain threat actors can limit federal law enforcement’s role and yield lighter penalties under their home countries’ legal frameworks. “Less severe consequences may not adequately deter juveniles and few cyber-specific intervention programs exist that can help divert potential offenders to legitimate cybersecurity activities.”
Based on the CSRB’s review of attacks associated with Lapsus$ and related threat groups, the board recommends organizations strengthen identity and access management (IAM), mitigate telecommunication and reseller vulnerabilities, and build resilience across multi-party systems. Furthermore, the CSRB recommends lawmakers address law enforcement challenges and juvenile cybercrime.
IAM weaknesses are some of the most serious vulnerabilities in the digital ecosystem and will require dramatic improvements focused on innovative controls and alternative authentication factors, the report identified. It recommends that “everyone must progress towards a passwordless world. Technology providers should design and deliver secure IAM solutions by default, including immediately beginning to transition away from voice- and SMS-based two-step MFA. Web and mobile application developers should leverage Fast IDentity Online (FIDO) 2-compliant, hardware-backed solutions built into consumer devices by default.”
It also added that organizations should prioritize efforts to reduce the efficacy of social engineering. “As organizations integrate more robust authentication capabilities, they can reduce the efficacy of social engineering attacks, such as by requiring an explicit authentication event using a form of phishing-resistant MFA for each sensitive system transaction and fostering a positive security culture by incentivizing employees to report potential intrusions.”
The report identified that customers and retailers are at risk for social engineering and other manipulation schemes, which allow threat actors to access sensitive information and backdoors to additional targets. The telecommunications industry, as well as federal regulators, should take steps to build resiliency against illicit activities and help defend against threat actors.
It recommends building resiliency against illicit SIM swapping. Telecommunication providers should build resiliency against social engineering in SIM swapping to protect the consumer, including treating SIM swaps as highly privileged actions, letting consumers lock their accounts, and requiring strong identity verification by default. Telecommunication providers should also improve asset management to prevent exploitation of point-of -sale systems, and harden applications and APIs used to manage customer accounts, including those enabling illicit SIM swaps.
It also called for boosting FCC and FTC oversight and enforcement activities by requiring regular reporting of illicit SIM swaps, documenting and enforcing best practices, and incentivizing better security by penalizing illicit SIM swaps or lax controls.
Organizations should design their security programs to cover both their own information technology environments as well as their vendors that host critical data or maintain direct network access, to create a strong foundation for ongoing risk management. They must plan for disruptive cyber intrusions and invest in prevention, response, and recovery capabilities by creating roadmaps to rapidly adopt emerging modern architectures, design and implement zero trust architecture (ZTA) following guidelines such as CISA’s Zero Trust Maturity Model, and strengthening their authentication practices.
The report also said that disruption of threat actors and their attacks requires coordination among law enforcement, industry, and international partners. It pointed to the need for advancing ‘whole-of -society’ programs and mechanisms for juvenile cybercrime prevention and intervention. Organizations should fortify relationships with federal and mitigation partners pre-incident and improve prompt reporting to such partners, while the USG should provide clear, consistent guidance about its cyber incident-related roles and responsibilities.
It also called for increased international law enforcement cooperation. The USG should enhance resources devoted to international law enforcement cooperation and strengthen international collaboration mechanisms to ensure effective information sharing and deconfliction to better prevent cybercriminals from evading the rule of law.
The CRSB also suggests building resilience for emergency disclosure requests (EDRs) against social engineering attacks. Communications providers may share user data with government entities in an emergency, usually upon receipt and evaluation of an EDR. Given that threat actors abused this process to obtain sensitive information, providers should examine whether to design and implement new mechanisms for verifying EDRs using solutions such as standardized digital signatures.
Last month, the CISA identified the initial steps towards better cybersecurity, and put forward four goals that organizations can start executing. Eric Goldstein, CISA’s executive assistant director for cybersecurity laid down straightforward and essential practices including changing default passwords, implementing phishing-resistant MFA, separating user and privileged accounts, and building incident response plans.
Related
