Cyber Review: Teens Caused Chaos With Low-Complexity AttacksVoice and Text Not Secure Enough for Authentication, Cyber Safety Review Board Says
What does it mean for the state of our collective cybersecurity when "a loosely affiliated hacker group," some of them teenagers, can compromise "dozens of well-defended companies with low-complexity attacks"?
That's a taut summation, courtesy of Google security chief Heather Adkins, of the impact of the Lapsus$ cybercrime group, which hacked its way through dozens of well-resourced organizations' defense from late 2021 to late 2022.
Adkins is deputy chair of the public-private U.S. Cyber Safety Review Board, which on Thursday issued its second-ever after-action report, this time focused on lessons to be learned from the success of the Lapsus$ group's attacks.
"We uncovered deficiencies in how companies ensure the security of their vendors, how cellphone carriers protect their customers from SIM swapping and how organizations authenticate users on their systems," said Robert Silvers, the Department of Homeland Security's undersecretary for strategy, policy and plans - and chair of the CSRB.
"The board put forward specific recommendations to address these issues and more, in line with the board's mandate to conduct comprehensive after-action reviews of the most significant cyber incidents," he said.
Tackling 'Systemic Issues'
Following a flurry of high-profile hacks early in his tenure, President Joe Biden in 2021 established the DHS-led Cyber Safety Review Board through an executive order, tasking it with producing recommendations for improving the nation's security. Many cybersecurity experts welcomed the analysis promised by the board, although some cautioned that the ability to force change would be needed to really improve the nation's cybersecurity resilience.
This remains a common refrain - and challenge - with cybersecurity. Too many attacks continue to succeed because victims didn't do the basics.
Back in 2012, cybersecurity expert Grady Summers, then at Mandiant, summarized this state of affairs when referring to the famous hacktivist collective then ravaging networks: "The Anonymous attacks hold up a mirror to our neglect."
True, some attack campaigns do turn out to be audacious, pushing boundaries in innovative ways. Take the Russia-attributed supply chain campaign that hacked SolarWinds' source code or the Clop group's ability to find and exploit zero-day vulnerabilities in widely used file transfer software to extort large numbers of victims at once.
Then there's Lapsus$, which succeeded with nary an advanced supply-chain hack or zero-day up its sleeve. "The CSRB found that Lapsus$ and related threat actors used primarily simple techniques, like stealing cellphone numbers and phishing employees, to gain access to companies and their proprietary data," the board said.
In particular, many victim organizations were using text messaging and voice calls for two-factor authentication, which the hacking group regularly defeated with ease, the board found.
"Lapsus$ was not unique in the criminal landscape in which it operated," the report states. "But Lapsus$ was unique for its effectiveness, speed, creativity and boldness; it operated in a way that gifted the board a propitious lens through which we could see systemic issues in the digital ecosystem," not least in "the identity and access management ecosystem."
Having analyzed the group's tactics, the board is calling "for organizations to immediately switch to more secure, easy-to-use, password-less solutions by design," such as tools that comply with FIDO Alliance standards.
While this will require IT energy and investment - and potentially lead to pushback from users - the alternative is getting hacked by teenagers or anyone else who might come gunning.
The board also found telecommunications firms that provide mobile services have failed to implement robust methods for authenticating users, despite the fact that the dangers of SIM swapping have been well known and documented for many years. Even so, too many telecommunications carriers fail to invest in more robust defenses.
Accordingly, the board is urging the Federal Communications Commission and Federal Trade Commission to detail best practices for preventing SIM swapping and force carriers to comply with them.
Lessons From Log4Shell
The new report into Lapsus$ attacks follows the board's first report, released in July 2022, into the ubiquitous Log4Shell flaw present in the Apache open-source logging framework Log4j.
The board warned that the "endemic vulnerability" would likely be present in enterprise networks for a decade or more and urged organizations to create better vulnerability response programs. It also urged vendors to handle vulnerability disclosure and remediation more smoothly.
Such fixes haven't happened overnight - or even in the past year. Last week, cybersecurity officials across the U.S. and its Five Eyes intelligence alliance partners warned that Log4j remains one of the top 12 most exploited flaws in enterprise networks by hackers, despite repeat and robust calls for the flaws to be patched.
Do the Basics, Then Repeat
Both CSRB reports, including their recommendations for what needs to change, are a reminder that getting the cybersecurity basics right might not sound sexy but remains essential. Still, many fail to do so.
The U.S. National Institute of Standards and Technology warned nearly a decade ago that one-time codes delivered via voice or SMS were too easy to intercept and recommended using authenticators instead. Seven years later, Lapsus$ ran roughshod through enterprises that had yet to heed that advice.
Good cybersecurity hygiene protects against all threats, be they advanced persistent threat groups affiliated with Russia, China or North Korea; criminals operating from those and other geographies; commercial spyware wielded by authoritarian regimes or unscrupulous competitors; plus hacktivists, script kiddies or otherwise bored teenagers.
Sophisticated hackers won't use an advanced hacking technique or zero-day flaw exploit if faster, simpler or less expensive tactics will suffice. The CSRB's latest report is a reminder that, collectively, it pays to make life harder for hackers of every stripe.