In late July, the US Cyber Safety Review Board (CSRB) released its report on the series of high-profile breaches conducted in 2021-2022 by the threat actor group known as Lapsus$ and similar threat actors. The report,
Review of the Attacks Associated with Lapsus$ and Related Threat Groups, offers an in-depth review of the tactics, techniques, and procedures behind some of the most notable breaches. Perhaps the most concerning aspect of these attacks was the threat actors’ successful targeting of legitimate user accounts to gain and maintain access to the victims’ networks. The threat actors used a variety of techniques to collect credentials of these legitimate accounts, some technical and some more basic, and were also proficient at social engineering and conducting initial reconnaissance against their targets. While the report does an excellent job detailing the group’s tactics across the kill chain, there are three particular aspects we’d like to focus on within this post as they related to your password safety: social engineering, the role of infostealers and access brokers in these breaches, and the report’s recommendation that “everyone must progress toward a passwordless world.”
Social Engineering
Effective use of social engineering tactics is one of the hallmarks of the Lapsus$ attacks. The report calls out several approaches leveraged by the threat actors, including contacting the help desk at the victim organization to gather information or reset accounts or contacting employees directly. These direct contacts included vishing, smishing, and spearphishing by the threat actor in attempts to gather credentials to legitimate accounts or other sensitive information and the use of MFA fatigue attacks, in which the threat actor pushed repeated MFA authorization requests often during off hours or other inconvenient times. The threat actors also contacted employees while impersonating the help desk urging the employees to accept the MFA requests to make them stop. We will discuss the steps you can take to protect your passwords against these attempts in further detail below, but the consistent themes of phishing and soliciting data or behavior directly underscore the importance of a robust cybersecurity education program.
Infostealers
The report calls out the use of information-stealing malware, or infostealers, in the spate of attacks attributed to Lapsus$ and similar groups. These threat actors were noted to either use the infostealers themselves once establishing initial contact with an employee, as noted
here, or leveraging credentials potentially stolen via infostealers or other methods and then sold by Initial Access Brokers (IABs). (These IABs are known for selling access to compromised networks to other elements of the cybercriminal ecosystem who may then take a number of actions against the targeted organization, including data theft, encryption, or destruction.) The US CSRB report underscores the potential damage infostealers can cause in the right hands – a group like Lapsus$ (or other similar threat actors) can effectively use these infostealers (or the data stolen by them) in conjunction with social engineering tactics to gain invasive and pervasive access to otherwise well-protected networks.
Given their focus on stealing passwords and sensitive personal information, infostealers are a critical threat to many cybersecurity teams, and we’ve discussed them previously
here. And as a recent study from Uptycs notes, infostealers are only becoming more prominent and dangerous: according to their research, incidents involving infostealers more than doubled in the first quarter of 2023 compared to 2022. This increase reflects not only the growth in sheer numbers of infostealer usage but also the continuing evolution of the infostealers themselves as they get stealthier and add new functionalities.
Cyber Safety Review Board Recommendations
The severity of the breaches studied in the US CSRB report highlight the potential threat posed by threat actors proficient in the use of social engineering and infostealers. These are two threats many companies face every day, as well. Our own research indicates
49% of IT decisions makers report phishing, social engineering, and compromised credentials as the biggest risk to their business. Because of that, this recommendation made by the US CSRB to
address these threats is important: “Organizations Should Prioritize Efforts to Reduce the Efficacy of Social Engineering.” The recommendation goes on to state “organizations should adopt easy-to-use, secure-by-default, passwordless solutions such as Fast IDentity Online (FIDO)2-compliant, phishing-resistant MFA methods..” We echo this recommendation and encourages our customers to use a FIDO2-compatible authenticators that allow for passwordless login to their vault, like LastPass Authenticator. Doing so could help reduce the risk from social engineering and infostealers by taking the password out of the equation. Combined with cybersecurity education and an awareness of social engineering tactics, customers can help protect themselves against the sort of attacks studied in the CSRB report.
