Cyber Safety Review Board Underscores Risk of Lapsus$ Threat Group

August 14, 2023 - The Cyber Safety Review Board (CSRB) issued an analysis of Lapsus$ threat group and its tactics, encouraging organizations to strengthen identity and access management processes and build resiliency across multi-party systems.

The CSRB was established in February 2022 as directed by President Biden’s Executive Order on improving the nation’s cybersecurity. The board was created to review significant cyber events and provide actionable recommendations to drive cybersecurity improvements across all sectors.

Previously, the CSRB issued an in-depth report on the series of Log4j incidents that shook up the security world in 2021. The CSRB declared Log4j an “endemic vulnerability” and provided insights into how organizations could manage this risk going forward.

This time, the CSRB focused on Lapsus$, a notorious threat group that conducted dozens of extortion-focused cyberattacks on companies and government agencies between 2021 and 2022. HHS issued a healthcare-specific threat brief about the group in April 2022 and encouraged organizations to remain vigilant.

The CSRB engaged with almost 40 organizations to gather insights about Lapsus$. The group has been observed exploiting vulnerabilities in the identity and access management ecosystem, stealing source code, demanding ransoms, and penetrating corporate networks.

The board’s analysis concluded that Lapsus$ had a habit of leveraging low-cost techniques and well-known weak points in cyber infrastructure to attack victims. Essentially, these threat actors went after low-hanging fruit rather than focusing on complicated cyber threat tactics.

“The Board found that the multi-factor authentication (MFA) implementations used broadly in the digital ecosystem today are not sufficient for most organizations or consumers,” the review noted.

“In particular, the Board saw a collective failure to sufficiently account for and mitigate the risks associated with using Short Message Service (SMS) and voice calls for MFA.”

What’s more, Lapsus$ threat actors have been known to gain initial access via Subscriber Identity Module (SIM) swapping attacks. Current security processes in the United States are not sufficient to prevent SIM swapping, the CSRB noted.

The HHS brief mentioned that the Lapsus$ threat actors are believed to be mostly teenagers and young adults. Expanding upon this theory, the CSRB acknowledged that the “juvenile status of certain threat actors can limit federal law enforcement’s role and yield lighter penalties under their home countries’ legal frameworks,” meaning that there are fewer deterrents to committing cyber crimes.

With all these risks in mind, the CSRB provided actionable steps that organizations can take to harden their defenses. Considering ongoing challenges with identity and access management, organizations are encouraged to move away from voice and SMS-based two-step MFA and toward Fast IDentity Online (FIDO)2-compliant, hardware-backed solutions.

Additionally, the CSRB called on federal regulators and the telecommunications industry to crack down on illicit SIM swapping.

“Telecommunication providers should build resiliency against social engineering in SIM swapping to protect the consumer, including treating SIM swaps as highly privileged actions, letting consumers lock their accounts, and requiring strong identity verification by default,” the CSRB suggested.

“Telecommunication providers should also improve asset management to prevent exploitation of point-of-sale systems, and harden applications and APIs used to manage customer accounts, including those enabling illicit SIM swaps.”

The CSRB also recommended that the Federal Communications Commission (FCC) and Federal Trade Commission (FTC) increase their oversight and enforcement activities in this space.

“Based on the CSRB’s review of attacks associated with Lapsus$ and related threat groups, the CSRB recommends organizations strengthen identity and access management, mitigate telecommunication and reseller vulnerabilities, and build resiliency across multi-party systems,” the board summarized.

“Furthermore, the CSRB recommends lawmakers address law enforcement challenges and juvenile cybercrime.”