Lapsus$ Hackers Took SIM-swapping Attacks to the Next Level

Cyber Security Threat Summary:
“The U.S. government released a report after analyzing simple techniques, e.g. SIM swapping, used by the Lapsus$ extortion group to breach dozens of organizations with a strong security posture. Reviewing the group’s operations started in December last year following a long trail of incidents attributed to or claimed by Lapsus$ after leaking proprietary data from alleged victims” (Bleeping Computer, 2023).

While Lapsus$ is believed to be a loosely-organized group of teenagers from the U.K. and Brazil, they have successfully targeted several high-profile companies. The group gained notoriety between 2021 and 2022, when they used less sophisticated but effective attacks for financial gain.

This week, the Department of Homeland Security’s Cyber Safety Review Board (CSRB) analyzed the groups tactics, techniques, and procedures in a report for industry.

Cyber Security Threat Summary:
“Lapsus$ employed low-cost techniques, well-known and available to other threat actors, revealing weak points in our cyber infrastructure that could be vulnerable to future attacks” says the CSRB. The group was heavily using SIM swapping to gain access to company internal networks, using that access to steal confidential information like source code, proprietary technology, or other business and customer-related documents.

By gaining access to the victim’s phone number via the swapped SIM cards, the threat actors can receive SMS based MFA codes to log into various enterprise services. The threat actors used social engineering to trick mobile carries into providing a new SIM card. Lapsus$ was able to perform the SIM swaps directly from a telecommunication provider’s customer management system, after hijacking accounts belonging to employees and contractors.

“To obtain confidential information about their victim (name, phone number, customer proprietary network information), members of the group sometimes used fraudulent emergency disclosure requests (EDRs). An attacker can create a fake EDR by impersonating a legitimate requestor, such as a law enforcement agent, or by applying official logos to the request. Lapsus$ also relied on insiders at targeted companies, employees, or contractors, to obtain credentials, approve multi-factor authentication (MFA) requests, or use internal access to help the threat actor” (Bleeping Computer, 2023).

The CSRB says in one case, the Lapsus$ actors used their unauthorized access to a mobile provider to try and compromise mobile phones belonging to FBI and Department of Defense personnel. The attempt was unsuccessful due to extra security implemented for those accounts. During the research, CSRB’s findings, the group paid as much as $20,000 per week to access a telecommunications provider’s platform and perform SIM swaps.

While the FBI did not see Lapsus$ selling the stolen data, they did find cases where Lapsus$ was using the stolen data to extort victims into paying ransoms. SIM card swapping was not the only technique employed by the group, they also leveraged Active Directory security issues in 60% of their attacks, which shows the group does have some technical skills.

The CSRB noted that Lapsus$ was not always successful in attacks, and failed to breach organizations that implemented application or token-based MFA. Also, robust network intrusion detection systems and flagging suspicious account activity prevented Lapsus$ attacks. Where incident response procedures were followed, the impact was “significantly mitigated,” CSRB says in the report.

Suggested Correction(s):
Despite security researchers and experts decrying for years the use of SMS-based authentication as insecure, DHS’ Cyber Safety Review Board highlights that “most organizations were not prepared to prevent” the attacks from Lapsus$ or other groups employing similar tactics.

The Board’s recommendations to prevent other actors from gaining unauthorized access to an internal network include:

  • Transitioning to a passwordless environment with secure identity and access management solutions and discarding SMS as a two-step authentication method
  • Prioritizing efforts to reduce the efficiency of social engineering through robust authentication capabilities that are resilient to MFA phishing
  • Telecommunication providers should treat SIM swaps as highly privileged actions that require strong identity verification, and provide account-locking options for consumers
  • Strengthen Federal Communications Commission (FCC) and Federal Trade Commission (FTC) oversight and enforcement activities
  • Planning for disruptive cyberattacks and investing in prevention, response, and recovery; adopting a zero-trust model and strengthening authentication practices
  • Building resilience against social engineering attacks when it comes Emergency Disclosure (Data) Requests
  • Organizations should increase cooperation with law enforcement by reporting incidents promptly; the U.S. Government “clear, consistent guidance about its cyber incident-related roles and responsibilities”
“Lapsus$ fell silent since September 2022, likely due to law enforcement investigations that led to the arrests of several members of the group. In March last year, the City of London Police announced the arrest of seven individuals linked to Lapsus$. A few days later, on April 1, two more were apprehended, a 16-year-old and a 17-year-old. In October, during Operation Dark Cloud, the Brazilian Federal Police arrested an individual suspected to be part of the Lapsus$ extortion group, for breaching the systems of the country’s Ministry of Health” (Bleeping Computer, 2023).