reader comments
23 with
A ragtag bunch of amateur hackers, many of them teenagers with little technical training, have been so adept at breaching large targets, including Microsoft, Okta, Nvidia, and Globant, that the federal government is studying their methods to get a better grounding in cybersecurity.
The group, known as Lapsus$, is a loosely organized group that employs hacking techniques that, while decidedly unsophisticated, have proved highly effective. What the group lacks in software exploitation, it makes up for with persistence and creativity. One example is their technique for bypassing MFA (multi-factor authentication) at well-defended organizations.
Studying the Lapsus$ hacking playbook
Rather than compromising infrastructure used to make various MFA services work, as more advanced groups do, a Lapsus$ leader last year described his approach to defeating MFA this way: “Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.”
On Thursday, the Homeland Security Department’s Cyber Safety Review Board released a report that documented many of the most effective tactics in the Lapsus$ playbook and urged organizations to develop countermeasures to prevent them from succeeding.
Like a few other more technically advanced threat groups, Lapsus$ “showed adeptness in identifying weak points in the system—like downstream vendors or telecommunications providers—that allowed onward access to their intended victims,” the officials wrote in the 52-page report. “They also showed a special talent for social engineering, luring a target’s employees to essentially open the gates to the corporate network.”
compliant with the FIDO2 industry standard.
passkeys, based on FIDO2. Like all FIDO2 offerings, passkeys are immune to all known credential phishing attacks because the standard requires the device that provides MFA to be no further than a few feet away from the device logging in.
Another recommendation is for the Federal Communications Commission and the Federal Trade Commission to beef up regulations concerning the porting of phone numbers from one SIM to another to curb SIM swapping.
“Organizations must act now to protect themselves, and the Board identified tangible ways to do so, with the help of the US government and the companies that are best prepared to provide safe-by-default solutions to uplift the whole ecosystem,” the report’s authors wrote. “Many of the Board’s recommendations come within the broader theme of ‘security by design,’ reflecting the larger industry conversation, including the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Secure by Design efforts.”