A new report released today from the U.S. Department of Homeland Security’s Cyber Safety Review Board that looked into the Lapsus$ hacking gang recommends that mobile phone carriers implement more stringent authentication methods to safeguard their customers against SIM swapping.

The report digs into previous Lapsus$ attacks and how the gang leveraged simple techniques to evade industry-standard security tools. Lapsus$ first emerged in the hacking scene in 2021, and its members hacked high-profile targets, such as Okta Inc. and Microsoft Corp.

Lapsus$ capitalized on basic methods to evade well-established security measures, using techniques that do not involve advanced hacking techniques but rather exploited existing system vulnerabilities, particularly within multifactor authentication systems. The board’s report details that the most common entry point for the group involved basic tactics such as phishing and, notably, SIM swapping.

Given the gang’s love of SIM swapping, the CSRB report digs into the inherent risks associated with relying heavily on text messaging and voice calls as primary multifactor authentication methods. The over-reliance on text messaging and voice calls for MFA is argued to have opened the gates for hacking groups such as Lapsus$ to leverage SIM swapping as a backdoor into secured corporate systems. The CSRB is calling for a move toward more secure, passwordless solutions to counter such vulnerabilities.

The report emphasizes an urgent need for telecommunications providers to improve customer protection mechanisms, especially against SIM swapping threats. The report also called for regulatory bodies such as the Federal Communications Commission and the Federal Trade Commission to mandate and standardize practices to counteract the attacks.

“Lapsus$ and related threat actors are using basic techniques to gain an entry point into companies,” Rosa Smothers, former Central Intelligence Agency cyberthreat analyst and currently an executive at security awareness training company KnowBe4 Inc., told SiliconANGLE. “Their primary attack vectors — SIM swap attacks and phishing employees — can be easily addressed, especially for companies like Microsoft and Okta that are so well-resourced. ”

Smothers notes that though the CSRB has no regulatory authority, the findings can assist federal agencies in driving change. “The recent SEC policy requiring disclosure of ‘material’ breach incidents within four days and the Department of Defense’s Cybersecurity Maturity Model Certification framework are great examples of how the federal government’s security requirements can drive positive change in the private sector,” Smothers added.

Image: Bing Image Creator