A string of high-profile cyberattacks carried out by teenage hackers in 2021 and 2022 highlights systemic weaknesses within the telecommunications trade and safety practices utilized by a variety of companies, a Division of Homeland Safety assessment discovered.
In a 59-page report launched Thursday, the division’s Cyber Security Evaluate Board referred to as on the Federal Communications Fee (FCC) and Federal Commerce Fee (FTC) to strengthen their oversight and enforcement actions targeted on SIM swapping, and ask telecommunications suppliers to report these assaults to the regulators.
The board additionally really helpful that organizations transition away from widely-used SMS and voice-based multifactor authentication, and as an alternative “undertake easy-to-use, secure-by-default-passwordless options.”
The report, commissioned by Cybersecurity and Infrastructure Safety Company (CISA) Director Jen Easterly, focuses on a bunch of younger hackers referred to as Lapsus$ that carried out a collection of assaults on main expertise firms, together with Uber, Okta, Samsung and others. The assaults drew consideration not solely due to the victims concerned, however due to their audacity — the hackers would typically acquire entry to an organization’s methods and delicate knowledge, after which publish screenshots and emojis in companywide inside chat messages.
“Lapsus$ was distinctive for its effectiveness, pace, creativity, and boldness,” Robert Silvers and Heather Adkins, the board’s chair and deputy chair respectively, stated.
In 2022, the group gained much more notoriety when authorities stated it was largely composed of youngsters. That March, British police arrested seven individuals between the ages of 16 and 21 allegedly concerned with the group, and one other particular person was arrested in Brazil in October.
The DHS assessment stated the assaults confirmed how SMS-based multifactor authentication — a observe broadly utilized by organizations so as to add an additional layer of safety when workers and clients log into accounts — will be undermined by cybercriminals attributable to lax safety practices at telecom companies. Lapsus$ was capable of get hold of primary details about its victims, reminiscent of their identify and telephone quantity, and used them to carry out fraudulent SIM swaps and intercept textual content messages that allowed them to signal into accounts or carry out account recoveries.
“If richly resourced cybersecurity applications had been so simply breached by a loosely organized risk actor group, which included a number of juveniles, how can organizations count on their applications to carry out in opposition to well-resourced cybercrime syndicates and nation-state actors?” the board stated, including that organizations that used software or token-based MFA strategies had been “particularly resilient” to the assaults.
As a part of its suggestions, the assessment board referred to as on the federal authorities to develop a roadmap consisting of “requirements, frameworks, steering, instruments, and expertise” that may assist organizations implement passwordless authentication as an alternative of SMS-based multifactor authentication.
President Joe Biden established the Cyber Security Evaluate Board in Might 2021 to review main hacking incidents and assist inform new cybersecurity coverage. Though it doesn’t have regulatory authority, it’s staffed by senior authorities officers and expertise executives, and may make suggestions that form how federal companies, Congress and personal firms deal with cybersecurity points.
DHS officers have lately pushed for laws that will grant the board extra energy and funding.
The Lapsus$ assessment is the board’s second report — its first was launched in July 2022 and warned that the vulnerability within the Log4j Java library will take years to remediate.
“Our capacity to guard Individuals from cyber vulnerabilities has by no means been stronger because of the group we’re constructing by way of the cyber security assessment board,” DHS Secretary Alejandro Mayorkas stated in a press release Thursday.
“As our risk atmosphere evolves, so too should our detection and prevention capabilities. We should additionally evolve our capacity to deploy these capabilities. The CSRB’s findings are usually not solely well timed, they’re actionable and written with the steering of real-world practitioners within the non-public sector.”