On August 10, 2023, the U.S. Department of Homeland Security (DHS) released the Cyber Safety Review Board (CSRB) report summarizing the findings of its review into the activities of threat actor group Lapsus$, who, beginning in late 2021 and continuing into late 2022, attempted to extort dozens of well-known global companies and government agencies. Lapsus$ exploited corporate networks, stole source code, demanded extortion payments, and defaced websites with political messages; most thought this was the work of a nation-state group. However, juveniles looking for clout and global acclaim used simple techniques like phishing employees and stealing phone numbers and credentials to evade industry-standard security practices to access corporate systems, including proprietary data.
According to the CSRB report, these attacks were not unique in the criminal landscape, nor did they involve advanced tooling or methods of entry. The effectiveness, speed, creativity, and boldness set Lapsus$ apart from other global threat actor groups. Lapsus$ displayed an exceptional talent for social engineering, luring targeted employees into giving access to corporate networks, ultimately highlighting security vulnerabilities.
“Among its findings, the Board saw a collective failure across organizations to account for the risks associated with using text messages and voice calls for multi-factor authentication. It calls for organizations to immediately switch to more secure, easy-to-use, password-less solutions by design,”according to a DHS press release.
Lapsus$ Uses Smishing to Lure Targets
The findings reveal threat actors directly interacted with employees throughout the attack lifecycle, using various techniques and in multiple languages. Lapsus$ did their homework. During the Reconnaissance phase of the attack lifecycle,they gathered publicly available data about their targets, such as employee profile pictures, department structures, business processes, workflows, and business relationships to later use to impersonate personnel.
Lapsus$ took advantage of humans as the weakest link during the initial access phase, using spear-phishing to lure employees and contractors into visiting spoofed or hacked sites, where they tricked them into entering their credentials. Impersonating trusted employees over the phone through voice phishing (vishing) was valuable for gathering personal information during these sessions. It was a helpful tactic in answering security questions, resulting in support staff resetting account credentials. In addition, SMS phishing (smishing) was another simple yet effective tool leveraged by Lapsus$ to deliver website links to a victim’s phone, including links to legitimate domains where they entered credentials.
Multi-factor authentication (MFA) is a process we have all grown to trust in verifying our identities to access sensitive information, systems, and apps. In this case, Lapsus$ used MFA fatigue by spamming employees with MFA prompts with access requests repeatedly until employees agreed. The threat actors impersonated the help desk over direct messages, encouraging staff to approve MFA prompts. According to the report, these prompts happened at inconvenient times, possibly increasing the likelihood of successful execution.
Mobile devices provide an increased attack surface and are essential in launching a successful spear-phishing attack, especially in the Initial Access phase, as this is part of the attack where the adversary is trying to gather credentials for further misuse. The CSRB says, “expensive endpoint security solutions were not an effective control to protect enterprise identities against social engineering.” These attacks were not the work of a nation-state actor, nor did they involve advanced methods of entry or tooling. The CSRB recommends organizations strengthen identity and access management, mitigate telecommunication and reseller vulnerabilities, and build resistance across multiple systems.
Don’t Let the Human Element Be Your Weakest Link
Lapsus$ proved there is still much work to be done to improve cybersecurity strategy. However, a common vector identified in these attacks was mobile devices and the employees using them. Threat actors will continue to exploit the mobile devices we value for productivity, personal communication, and entertainment to execute successful attacks against the world’s top companies and government agencies. Implementing a comprehensive mobile threat defense solution will increase visibility where traditional endpoints do not. Mobile device management solutions will not stop attackers in their tracks, only automate, control, and deliver patches necessary for apps and firmware.
Zimperium Mobile Threat Defense (MTD) is the only on-device, mobile-first security solution to detect threats in real-time across devices, including phishing attempts, malicious and rogue networks, and risks from malicious or poorly developed applications. Zimperium’s privacy-by-design security enables companies and government agencies to protect an employee’s corporate-owned or personal device from advanced persistent threats like those used by Lapsus$ while preserving their privacy.
Powered by a Dynamic On-Device Detection Engine, Zimperium MTD scales with the ever-changing threat landscape and protects against zero-day threats. With Zimperium MTD, Incident Response teams finally have visibility into mobile threats and risks through integrations with leading UEM, SIEM, SOAR, and XDR systems. By collecting forensic data on the device, network connections and malicious applications, security operations can review data to minimize risks, conduct vulnerability and risk management, and provide the organization with cyber resilience.
To learn more about how Zimperium MTD can help safeguard your organization against the attacks highlighted in this report, be sure to contact us and request a demo.