CISA Report Breaks Down Sophisticated Techniques of LAPSUS$ and Other Related Threat Actors.
Recently, the Cybersecurity and Infrastructure Security Agency (CISA) Cyber Safety Review Board published their second review, including intrusions associated with LAPSUS$ and related threat actors.
Threat actors are becoming increasingly sophisticated in their methods to breach victim networks. The Cyber Safety Review Board of CISA has recently published their second review, shedding light on intrusions associated with the enigmatic LAPSUS$ and its related threat groups. In their comprehensive report, spanning 59 pages, the board delves into the tactics, techniques, and procedures (TTPs) of these threat actors, offering invaluable insights and recommendations for organizations to bolster their cybersecurity defenses. Below you will find an overview of their findings and recommendations.
Understanding the Landscape
The report meticulously dissects the activities of various groups including Lapsus$, Yanluowang, Roasted Oktapus, Karakurt, Nwgen Team, and #NotLapsus. These groups are not merely random hackers, but highly organized entities driven primarily by financial motives. Their activities encompass selling stolen data on underground criminal markets, leveraging extortion and ransomware, cryptocurrency theft, and even cryptocurrency mining.
One of the key takeaways is the strategic use of social engineering by these threat actors. By gaining a deep understanding of a target’s business operations, they effectively manipulate vulnerabilities. This often involves techniques like spearphishing, vishing (voice phishing), smishing (SMS phishing), and MFA fatigue – where employees are overwhelmed with access approval requests until they succumb.
The Ingenious Tactics
The report highlights the innovative techniques adopted by these groups to infiltrate target networks. They probe networks through standard penetration testing methods such as port scanning, seeking out vulnerable external services. Additionally, evidence suggests that they actively seek and purchase login credentials from underground criminal forums, dark web marketplaces, and public platforms like Telegram.
Some threat groups employ dedicated cloud infrastructure from reputable virtual service providers (VSPs), which adds to their evasive tactics. They also recycle infrastructure across multiple targets, reusing IP addresses and server-side components to remain covert.
The Power of Social Engineering
Social engineering emerges as a prominent weapon in the threat actor’s arsenal. The report details instances where employees were recruited through monetary incentives to act on behalf of these groups. The attackers also exploited documented internal procedures and collaborative platforms, showcasing their ability to manipulate human behavior.
Strategies for Prevention
The report concludes with a series of recommendations aimed at fortifying organizations against cyber threats:
- Transition away from SMS and Voice MFA methods for access.
Given the vulnerability of these methods to attacks, organizations should adopt more robust forms of multi-factor authentication (MFA) like FIDO2-backed tokens.
- Continuous Employee Education
Regular training sessions are essential to keep employees updated about the evolving threat landscape. Information should be presented in an easily understandable manner. Ensure they know attempts are coming from email, text messaging, and even voicemail.
- Incident Response Planning
Developing and regularly testing a Cyber Incident Response Plan tailored to extortion, ransomware, and harassment events is crucial. Periodically review the plan with stakeholders in table exercises.
- Collaboration and Threat Intelligence Sharing
Organizations should actively share threat intelligence, including TTPs and indicators of compromise, with peers, industry organizations, and law enforcement to strengthen collective defenses.
The Cyber Safety Review Board’s report is a testament to the evolving complexity of cyber threats. By providing a comprehensive understanding of the tactics employed by threat groups and offering practical recommendations, organizations can better equip themselves against the ever-looming specter of cyber attacks. The key to a robust defense lies in staying informed, educating personnel, and cultivating a culture of vigilance against the evolving tactics of malicious actors.