The US Cyber Safety Review Board (CSRB) has issued a comprehensive report shedding light on the operations of the notorious extortion-focused hacker collective, Lapsus$.
The findings reveal that Lapsus$ exploited basic strategies to sidestep conventional security measures, prompting the CSRB to propose ten concrete recommendations for both governmental bodies and industries.
The report, delivered to President Biden by Secretary of Homeland Security, Alejandro N. Mayorkas, stems from a collaborative effort involving input from over 40 entities, including threat intelligence firms, targeted organizations, international law enforcement agencies and cybersecurity experts.
A prominent discovery was Lapsus$’s recurrent use of unsophisticated tactics, such as phishing employees and stealing cell phone numbers to gain unauthorized access to organizations and sensitive data.
Particularly alarming was the Board’s observation of a systemic oversight among organizations in assessing the vulnerabilities linked to text message and voice call-based multi-factor authentication (MFA). To counter this, the CSRB advocated an immediate transition to more secure, passwordless authentication methods.
“Lapsus$ and related threat actors are using basic techniques to gain an entry point into companies. Their primary attack vectors – SIM swap attacks and phishing employees – can be easily addressed, especially for companies like Microsoft and Okta that are so well-resourced,” said Rosa Smothers, former CIA cyber threat analyst and current KnowBe4 executive.
“Hardware authentication requires in-person direct engagement preventing remote, phone-based attacks. And training employees to spot and report social engineering attempts like phishing should be the basis of any company’s security awareness training program.”
The CSRB’s suggestions encompass several facets, urging cell phone carriers to enhance customer security through stringent authentication procedures. Additionally, the report calls upon the Federal Communications Commission (FCC) and the Federal Trade Commission (FTC) to institute standardized guidelines for thwarting SIM-swapping attacks.
“The Cyber Safety Review Board has no regulatory authority, but how these findings can better affect federal agencies to drive change will be key,” Smothers added.
“The recent SEC policy requiring disclosure of ‘material’ breach incidents within four days and the Department of Defense’s Cybersecurity Maturity Model Certification framework are great examples of how the federal government’s security requirements can drive positive change in the private sector.”