Cyber Safety Review Board on Lapsus$
Mark Lanterman | December 21, 2022
In light of an ever-changing technological landscape and emerging global threats, the importance of evaluating our nation's cyber-security approach cannot be underestimated. Attacks against critical infrastructure alone can be catastrophic, and current political trends among nation-states make the potential a particular concern.
In 2021, President Joe Biden's Executive Order on Improving the Nation's Cybersecurity outlined a strategy for improving our country's collective security posture. Among many steps specified in the order, one item has already materialized and proved useful—the Cyber Safety Review Board (CSRB).
This board is tasked with reviewing high-profile cyber events and is composed of both public and private sector members. In July 2022, the board released its first report, Review of the December 2021 Log4j Event. The incident's pervasive nature, along with its far-reaching impact, made it an ideal first topic for the board to review. In addition to providing a logistical overview of the vulnerability itself, suggestions for improvement and ongoing mitigation were also provided.
Lapsus$ Attacks
On December 2, 2022, the board announced the subject of its second report—Lapsus$. Many are probably familiar with the name Lapsus$ after reading about its attacks on several large organizations this past year, including Uber.
Uber attributed an attack to Lapsus$ following a series of events in which accounts and tools were wrongfully accessed (including Slack) and an inappropriate image was displayed to employees on internal sites after reconfigurations were made to Uber's OpenDNS. Uber explained the origin of the attack in its statement, detailing that an Uber EXT contractor was compromised after their corporate password had likely been sold on the dark web: "The attacker then repeatedly tried to log in to the contractor's Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access." 1
In spite of this layer of protection, the contractor eventually accepted one of the requests, effectively granting the attacker access. This is known as a multi-factor authentication (MFA) fatigue attack, in which a threat actor will send a series of MFA requests to a victim in the hopes that the victim will ultimately accept one of them.
Lapsus$ is a global hacking group that is unique in its size, motivations, and members. While the group has been known to extort organizations' data, this group does not appear to always have financial gain as its top priority—appearing to also pursue a range of targets for "fun" and fame.
The attack on Uber is equally notable for what wasn't attacked—namely, customer data such as credit card numbers. The attack could have been worse, but two main goals here seemed to be notoriety and the thrill of demonstrating the vulnerabilities of a large organization. Furthermore, Lapsus$ has repeatedly shown the power of social engineering tactics, especially when paired with persistence.
CSRB Report on Lapsus$
In December 2022, the US Department of Homeland Security announced that the CSRB would conduct a review of Lapsus$ as the topic of its second report. "Lapsus$ has reportedly employed techniques to bypass a range of commonly used security controls and has successfully infiltrated a number of companies across industries and geographic areas. The CSRB will develop actionable recommendations for how organizations can protect themselves, their customers, and their employees in the face of these types of attacks." 2
To some, Lapsus$ might seem to be nothing more than a group of young people that are eager to show off their hacking skills on the global stage. However, the attacks that have been conducted thus far have already revealed the possible scope of what this group could accomplish. From the vulnerabilities that have been unearthed (consider the role of the third-party vendor in Uber's case) to the fact that Lapsus$ has an apparent skill for bypassing traditional security measures, it is certainly appropriate that the CSRB would take the risks posed by this group seriously.
By following this and other CSRB reports, organizations will be able to learn how to best counteract the tactics employed by Lapsus$ and bolster their security response to similar groups that may emerge moving forward.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
Footnotes
