The Importance of Passwordless Security and Zero-Trust Architecture
The Cybersecurity and Infrastructure Security Agency (CISA) has recently released a report on the LAPSUS$ hacking group, highlighting the urgent need for public and private organizations to prioritize passwordless authentication and zero-trust architecture as effective measures against future cyber attacks.
The report acknowledges that the LAPSUS$ group’s methodology is not based on novel attack vectors but rather on organizational security failures. It emphasizes the importance of adopting better strategies to prevent and respond to cyber attacks, as well as promoting closer security dialogues between companies and third-party providers.
Throughout 2021 and 2022, the LAPSUS$ group carried out several cyber attacks, exploiting weaknesses such as overreliance on SMS-based two-factor authentication. In response to these findings, CISA has issued immediate recommendations for businesses, including the adoption of passwordless authentication methods and the implementation of stronger protections against social engineering and phishing, which are favored by LAPSUS$.
The report reveals that the LAPSUS$ threat actors are proficient in using social engineering techniques to obtain victims’ phone numbers and passwords. Their methods involve crawling through public information, fraudulent phone calls, and spear phishing.
Application developers have specifically been advised to implement FIDO 2-compliant authentication by default on consumer phones. This implementation would enable businesses to easily transition to passwordless authentication for all staff members.
Written by the Cyber Safety Review Board (CSRB), the report includes representatives from the Department of Homeland Security, CISA, Department of Defense, Federal Bureau of Investigation, and private companies such as Google and Palo Alto Networks.
Telecommunications providers have been urged to establish protections against SIM swapping attacks, whereby a hacker exploits the process of transferring a phone number to a new device and activates their own SIM under the victim’s number. Controlling a victim’s number gives attackers the ability to use SMS-based two-factor authentication to gain access to sensitive accounts.
Robert Silvers, the chair of CSRB and DHS under-secretary for policy, stated, “The Board examined how a loosely organized group of hackers, some of them teenagers, were consistently able to break into the most well-defended companies in the world.” The report emphasizes the need to address deficiencies in vendor security, cell phone carrier protection against SIM swapping, and user authentication on organizational systems.
CISA emphasizes the importance of mobile network operators adopting zero-trust approaches to security and investing in methods to remotely wipe compromised devices. Additionally, the Federal Communications Commission (FCC) and Federal Trade Commission (FTC) have called for greater transparency from telcos regarding SIM swapping statistics.
The fact that some LAPSUS$ hackers were teenagers is repeatedly highlighted to demonstrate the ease with which these attacks were carried out and the need for urgent action. The report also suggests that US agencies could consider implementing schemes to identify at-risk juveniles and support their cyber interests in positive ways, such as hackathons or gaming tournaments. This approach could effectively reduce cyber attacks and alleviate tech skills shortages by directing talented individuals toward cybersecurity roles.
To enhance the cybersecurity sector as a whole, the report encourages private companies to share more data on cyber attacks with the government and for government entities to expand cooperation with international law enforcement agencies to combat cyber criminals.
Jen Easterly, the director at CISA, highlights the need for organizations to increase their cyber resilience and implement phishing-resistant multi-factor authentication. Easterly commits to working with federal and industry partners to act on the CSRB’s recommendations, including collaborating with technology manufacturers to ensure necessary security features are provided to customers without additional costs.
LAPSUS$, also known as Strawberry Tempest, has been identified by Microsoft as one of the most active and malicious hacking groups of 2022. The group was responsible for significant cyber attacks on notable organizations, including Nvidia, Globant (which impacted high-profile clients), T-Mobile (source code theft), and a public attack on Uber using social engineering techniques.