The US Cybersecurity and Infrastructure Security Agency (CISA) is calling for stricter SIM swapping protections and the modulation to a passwordless aboriginal pursuing past year’s Lapsus$ attacks. In a lengthy study released connected Thursday, the bureau details the teen hacking group’s cardinal techniques and provides recommendations to forestall akin attacks going forward.
Lapsus$ made headlines past twelvemonth aft it took recognition for the cyberattacks affecting large tech companies similar Nvidia, Samsung, Ubisoft, T-Mobile, Uber, and Microsoft. The radical besides managed to bargain and leak 90 videos containing gameplay footage from Rockstar’s upcoming Grand Theft Auto VI game. Seven teenagers connected to the radical were arrested successful London past year.
CISA asks that the Federal Trade Commission and Federal Communications Commission bash much to support consumers against SIM swapping attacks. Last month, the FCC projected a caller acceptable of rules that would necessitate wireless providers to “adopt unafraid methods of authenticating a customer” erstwhile performing SIM swaps.
“Lapsus$ was unsocial for its effectiveness, speed, creativity, and boldness; it operated successful a mode that talented the Board a propitious lens done which we could spot systemic issues successful the integer ecosystem,” CISA writes. “Lapsus$ exploited, to large and wide effect, a playbook of effectual techniques, which different menace actors tin besides use.”
Despite the standard of the Lapsus$ attacks, CISA says the radical makes it wide “just however casual it was for its members (juveniles, successful immoderate instances) to infiltrate well-defended organizations.” One of the methods utilized by Lapsus$ is SIM swapping, oregon the enactment of gaining power of a target’s telephone fig done societal engineering and different methods. This allows the atrocious histrion to person calls oregon texts from that number, including messages containing two-factor authentication codes connected with a victim’s delicate accounts.
Because of this, CISA present recommends that companies determination distant from dependable and SMS-based multifactor authentication successful favour of passwordless solutions. It suggests that organizations usage passkeys compliant with the FIDO2 modular instead, which allows users to motion successful to their accounts utilizing their fingerprint oregon a hardware-based information key. Many companies and password managers are already starting to enactment passwordless sign-in methods, including Google, 1Password, Microsoft, and Dashlane.
“Lapsus$ exploited, to large and wide effect, a playbook of effectual techniques”
Additionally, CISA specifically calls connected carriers to “implement much stringent authentication methods for SIM swapping.” That includes giving customers the quality to fastener their accounts to forestall SIM swaps and requiring “strong individuality verification” for SIM swaps arsenic good arsenic giving relationship holders a “detailed record” of erstwhile a SIM swap occurs.
Given that the bulk of known Lapsus$ hackers are teenagers, CISA besides suggests having Congress money “juvenile cybercrime prevention programs” arsenic good arsenic “fostering interruption and redirection programs” to forestall young radical from getting progressive successful cybercrime successful the future.