The Cyber Safety Review Board (CSRB) has released a comprehensive analysis highlighting the dangers posed by the Lapsus$ threat group, urging businesses and government agencies to bolster their identity and access management systems. This report comes in the wake of a series of cyberattacks orchestrated by Lapsus$ between 2021 and 2022.
Lapsus$, described as a loosely organized group, has gained notoriety for its extortion-focused cyberattacks. The group’s modus operandi often involves exploiting vulnerabilities in identity and access management systems, stealing source codes, demanding ransoms, and infiltrating corporate networks. Notably, some of its members are believed to be teenagers, which poses challenges for law enforcement due to lighter penalties for juvenile threat actors, under certain jurisdictions.
A significant concern raised by the CSRB is the inadequacy of the current multi-factor authentication (MFA) systems.
“The Board found that the multi-factor authentication (MFA) implementations used broadly in the digital ecosystem today are not sufficient for most organizations or consumers,” the report read. “In particular, the Board saw a collective failure to sufficiently account for and mitigate the risks associated with using Short Message Service (SMS) and voice calls for MFA.”
The CSRB’s recommendations are multifaceted. They advocate for a shift from voice and SMS-based MFA to Fast IDentity Online (FIDO)2-compliant, hardware-backed solutions. The board also urged telecommunication providers to enhance their defenses against SIM swapping and called for increased oversight from the Federal Communications Commission (FCC) and Federal Trade Commission (FTC).
Furthermore, the CSRB emphasized the importance of strengthening identity and access management, addressing vulnerabilities in telecommunications, and building resilience in multi-party systems. They also highlighted the need for lawmakers to “advance ‘whole-of-society’ programs and mechanisms for juvenile cybercrime prevention and intervention.”
As cyber threats continue to evolve, the CSRB’s insights and recommendations serve as a crucial guide for organizations aiming to fortify their defenses in this digital age.
“Our ability to protect Americans from cyber vulnerabilities has never been stronger thanks to the community we are building through the Cyber Safety Review Board,” said Secretary of Homeland Security Alejandro N. Mayorkas. “As our threat environment evolves, so too must our detection and prevention capabilities. We must also evolve our ability to deploy those capabilities. The CSRB’s findings are not only timely, they are actionable and written with the guidance of real-world practitioners in the private sector.”