LAPSUS$ Group: Flaws Exposed in US Homeland Security Enterprise
Dark Screen with text editor editor on it displaying highlighted code, via freeCodeCamp
In 2022 there were two major cyber attacks that caused serious reputational and financial damage to major industry leaders in the tech industry. Reports stated that hackers were able to gain admin-level access to servers belonging to Microsoft, T-Mobile, and Samsung, and had been able to exfiltrate the source code to the Bing search engine and thousands customer accounts from both companies. Both the initial attacks and the exfiltration of the customer data were the work of the Lapsus$ group, a hacker collective that was able to leverage flaws between the government and third-party service providers to gain access to systems. Another facet of these cyber attacks is that they are able to abuse the trust between the government and contractors, and as such proper protocols and techniques should be followed such as reducing the amount of SMS multi factor authentication, and relying more on unique device authentication. These types of attacks highlight a larger need for proper employee education on social engineered attacks as proper education will be the most impactful on the long term mitigation of these types of attacks.
In a 2023 report, CISA (the Cyber Security and Infrastructure Agency) found that the Lapsu$ group manipulated a flaw in the bureaucracy between the public and private sectors that allowed them to socially engineer their way into getting highly sensitive data on their target. They did this by submitting fraudulent Emergency Disclosure Reports(or EDRs); these reports are used by law enforcement to get access to individual accounts by asking for them directly from tech companies such as X and Meta. This form of social engineering was highly effective and was critical to the 2022 Uber and Microsoft cyberattacks. From there, the group would attempt to persuade the individual to allow them access to their account using a method of social engineering called an MFA (multi-factor authentication) fatigue attack. Where hackers would spam their victims with MFA authentication requests until the individual would click yes to the request and this allowed hackers to gain access to the victims account.
This manipulative nature of these cyberattack methods, along with its relatively easy use and low operating cost, highlights a serious flaw in the security ecosystem of modern major organizations. Currently, 57% of global companies use some form of MFA to secure their data. The widespread adoption of MFA to protect government accounts and information also means that US government agencies are susceptible to MFA fatigue attacks. That would allow even unsophisticated hacking groups to be able to hack into government agency’s computers with little to no resistance.
Despite the relative ease and high impact of these techniques, there are some steps government agencies and defense contractors can take to mitigate these tactics. The first step that has had the best effect on disrupting attackers’ methods of entry is switching from a push notification style to a more code-based MFA style, similar to DUO mobile and Authy authentication where a random series of numbers are used to allow access to the account for each login attempt. Notably, these methods do not require a notification making them less likely to be breached using a social engineering technique. CISA recommends that employers with sensitive data should take steps to educate and train employees on dealing with this method of account takeover. In their report on the social engineering of groups, such as the Lapsus$ group, the CISA recommended that providers and companies dealing with EDRs rework the internal system to better verify what information is being requested and who is sending the request. The best systematic approach to defend against these social engineering attacks is by implementing singular FIDO (Fast Identification Online) keys to devices. This will allow only single devices to be better secured from social engineering attacks using better device authentication when signing into accounts. This makes it extremely difficult for hackers to try and attack the target as it requires physical access to the target’s device and to know their user information. These factors make it exponentially more difficult to get around than modern security measures. These mitigation techniques are essential for stable national cybersecurity and need to be implemented across the homeland security enterprise to better secure the prosperity and security of America’s cyber infrastructure.
While these techniques are still being used and government employees and agencies are still highly vulnerable to this type of socially engineered attack, it is important to recognize the advice given by CISA to both government contractors and government employees about how to respond to these types of cyberattacks. This type of attack does rely on targets being uninformed and unaware of these methods of attack, and as such CISA, Microsoft, and Google’s cyber defense teams recommend educating employees on these attack methods to defend their accounts from cybercriminals.
Alliance, Fido. “How Fido Works - Standard Public Key Cryptography & User Privacy.” FIDO Alliance, 1 Sept. 2023, fidoalliance.org/how-fido-works/.
CISA. “Review of the Attacks Associated with LAPSUS$ and Related Threat ... - Cisa.” CISA.Gov, www.cisa.gov/sites/default/files/2023-08/CSRB_Lapsus%24_508c.pdf. Accessed 29 Sept. 2023.
Dan Goodin - Aug 11, 2023 12:09 am UTC. “How Fame-Seeking Teenagers Hacked Some of the World’s Biggest Targets.” Ars Technica, 11 Aug. 2023, arstechnica.com/security/2023/08/homeland-security-details-how-teen-hackers-breached-some-of-the-biggest-targets/.
Gatlan, Sergiu. “57% of Businesses Use Multi-Factor AUTH (MFA), Says LastPass.” BleepingComputer, BleepingComputer, 7 Oct. 2019, www.bleepingcomputer.com/news/security/57-percent-of-businesses-use-multi-factor-auth-mfa-says-lastpass/.
Goodin, Dan. “Lapsus$ and Solarwinds Hackers Both Use the Same Old Trick to Bypass MFA.” Ars Technica, 29 Mar. 2022, arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/.
Microsoft Incident Response, Microsoft Threat Intelligence. “Dev-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction.” Microsoft Security Blog, 11 Sept. 2023, www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/.
Software, Specops. “MFA Fatigue Attacks Are Putting Your Organization at Risk.” BleepingComputer, BleepingComputer, 15 Nov. 2022, www.bleepingcomputer.com/news/security/mfa-fatigue-attacks-are-putting-your-organization-at-risk/.
Seytonic. “Teenagers Hacked the World’s Biggest Companies.” YouTube, YouTube, 26 Aug. 2023, www.youtube.com/watch?v=6Es2SwU-47I.