Share this
Lapsus$, MFA Bombing, and Human Behaviour
by Reflare Research Team on Apr 5, 2023 7:45:00 PM
As cybersecurity departments bucket money into solutions that improve network security, highly exploitable staff keep letting attackers in. Malicious actors know your users are your weakest link, and if you think their trickery is becoming sophisticated, you ain't seen nothing yet.
First Published 4th October 2022 | Latest Refresh 5th April 2023
"Your 48th one-time-password is...".
4 min read | Reflare Research Team
Kids today
On September 22, a 16-year-old teenager was arrested in Oxfordshire, UK and charged with breach of bail and computer misuse as part of a hacking investigation. Days earlier, a cyber threat actor managed to access Uber's internal network and systems, including the company’s corporate Slack channels, forcing the ride-hailing giant to reveal the details of the breach.
Uber was not the only major company breached that week. Rockstar Games, a prominent American video game publisher based in New York City, also reported a breach that saw internal files, including videos related to their highly anticipated upcoming game Grand-Theft Auto 6, leaked online.
Interestingly, this is likely the same teen who was arrested earlier this year for being the leader of the Lapsus$ gang, a cybercrime group predominantly comprised of teenagers between the ages of 16-21. Despite their age, the group members made headlines for breaching corporations such as Okta, Nvidia, Samsung, Mercado Libre, Ubisoft, T-Mobile, Microsoft, and Globant.
A list like that would make anyone believe that these teenagers' technical sophistication might rival those of state-sponsored threat actors. But the grim reality is that their modus-operandi is anything but technically sophisticated. Lapsus$ proved that despite all the high-tech and multi-layered security products deployed by these organisations – humans remain the weakest links by targeting the employees of these companies with social engineering attacks.
Exploiting the meatbag
'Manipulating the human' was indeed the case with Uber, where one of its external contractors became the victim of MFA (Multi-Factor Authentication) fatigue. MFA fatigue results from a form of social engineering attack known as MFA bombing that involves spamming a target with repeated MFA requests until they eventually authorise access out of frustration.
However, to perform an MFA bombing attack successfully, it requires the threat actor to already have access to the victims' login credentials. In the case of the Uber breach, these credentials were acquired from an underground marketplace.
Uber is not alone this year in becoming the victim of a successful social engineering attack. Cisco has also confirmed that they were breached by a ransomware gang. This happened because an employee’s personal Google account, which contained passwords synced from their web browser, was compromised. From there, the threat actors successfully performed a voice phishing attack - and MFA bombing.
The CISO strikes back
Many lessons can be learned from the misfortune of those like Uber and Cisco. The good news is that companies are taking notes. Budgets being allocated to CISOs for security products to secure their network are on the rise.
However, threat actors are rising to meet this challenge by becoming more sophisticated in their cyberattacks, primarily through designing more creative and ambitious social engineering attacks. (sad_trombone).
Humans have always been the weakest link in cybersecurity resilience, and malicious actors are doubling down on exploiting this more than ever. Attackers understand that cybersecurity capability training often falls under the ‘Learning and Development’ budgets that reside in Human Resource or Talent Management functions.
Although the leaders of these functions are incredibly well-intentioned, they are usually controlled by people who a) have very little awareness of cybersecurity, and b) possess a minimal understanding of what is needed to address the real problem.
And as long as this remains the case, attackers will continue to exploit humans, and humans will continue to be the weakest link.
This is why we need your help. Yes... YOU!!
Forward the following text to your L&D department (please)
It is increasingly essential that companies invest in the proper cybersecurity awareness training for their employees and third-party users. But it’s even more critical that those in charge of Learning and Development understand precisely what they are training for, and why.
Cybersecurity awareness training is not just about ticking the ‘audit and compliance’ box to complete a 360° performance review. Nor is it just about ‘how to identify phishing emails’. There are many different cybersecurity topics that L&D leaders must be able to identify, understand, and implement solutions for.
Furthermore, as malicious actors continue to exploit staff with increasingly sophisticated attacks, the sophistication and customisation of corporate IT security training solutions must also involve.
To begin addressing the behaviour risks in your users, the following topic list should be viewed as a starting point for the ‘very basics’ that you, at an absolute minimum, should be training for.
Removable Media
Removable media security awareness training can help your employees understand the risks of using portable devices, such as USB flash drives. The training aims to help employees understand how to keep data and their system safe and secure when using removable media, and to encourage them to follow best practices when working with these devices.
Passwords and Authentication
Passwords and Authentication security awareness training is essential for any organisation that wants to protect its data and accounts. The training helps employees learn best practices for creating and managing passwords and using two-factor authentication. The training covers topics such as how to create strong passwords, how to store passwords securely, and how to use two-factor authentication to protect accounts. By investing in this training, organisations can ensure that their employees know the importance of password security and take the necessary measures to protect their data.
Mobile Device Security
As the use of mobile devices continues to grow, so do the risks associated with their use. Mobile devices are often used for sensitive tasks such as accessing email, storing important files, and making online purchases. This makes them a prime target for criminals looking to steal sensitive information. Mobile Device security awareness training can cover a variety of topics, including the risks associated with using mobile devices, how to protect oneself and one’s organisation from the risks associated with using mobile devices, the importance of keeping mobile devices up-to-date with security patches, the importance of encrypting data on mobile devices, how to use mobile devices securely when travelling, and how to spot and report suspicious activity and behaviour related to mobile devices.
Home Security
Working remotely has become popular recently due to the pandemic and technologies making it easier for employees to stay connected to their work from anywhere. While working remotely can have many benefits, it's essential to be aware of the security risks that come with it. Security awareness training that covers remote work can help employees understand how to stay safe when working from home. Effective training typically covers topics such as setting up a secure home office, keeping work and personal computers and devices safe, protecting information when working at home, and preventing the leaking of sensitive corporate data to friends or family members.
Social Engineering
A good security social engineering awareness training typically covers common techniques used in social engineering attacks, including phishing, baiting, quid pro quo, and tailgating. Phishing involves sending emails or other messages that appear to be from a legitimate source to trick the recipient into revealing confidential information or clicking on a malicious link. Baiting involves leaving USB drives or other media containing malicious software in public places in hopes that someone will pick them up and insert them into a computer. Quid pro quo involves offering something in exchange for access to confidential information or systems. Tailgating, also known as piggybacking, consists of following someone into a secure area without proper authorisation.
You can train tech and non-tech staff on many other IT security topics. To evaluate which topic areas are best aligned with your organisation's needs, use this framework to specifically identify what you should be training for.
Consider subscribing to our biweekly research newsletter to stay up to speed on the latest cybersecurity L&D.
Additionally, you can explore some of our related articles to learn more.
Share this
- December 2024 (1)
- November 2024 (1)
- October 2024 (1)
- September 2024 (1)
- August 2024 (1)
- July 2024 (1)
- June 2024 (1)
- April 2024 (2)
- February 2024 (1)
- January 2024 (1)
- December 2023 (1)
- November 2023 (1)
- October 2023 (1)
- September 2023 (1)
- August 2023 (1)
- July 2023 (1)
- June 2023 (2)
- May 2023 (2)
- April 2023 (3)
- March 2023 (4)
- February 2023 (3)
- January 2023 (5)
- December 2022 (1)
- November 2022 (2)
- October 2022 (1)
- September 2022 (11)
- August 2022 (5)
- July 2022 (1)
- May 2022 (3)
- April 2022 (1)
- February 2022 (4)
- January 2022 (3)
- December 2021 (2)
- November 2021 (3)
- October 2021 (2)
- September 2021 (1)
- August 2021 (1)
- June 2021 (1)
- May 2021 (14)
- February 2021 (1)
- October 2020 (1)
- September 2020 (1)
- July 2020 (1)
- June 2020 (1)
- May 2020 (1)
- April 2020 (2)
- March 2020 (1)
- February 2020 (1)
- January 2020 (3)
- December 2019 (1)
- November 2019 (2)
- October 2019 (3)
- September 2019 (5)
- August 2019 (2)
- July 2019 (3)
- June 2019 (3)
- May 2019 (2)
- April 2019 (3)
- March 2019 (2)
- February 2019 (3)
- January 2019 (1)
- December 2018 (3)
- November 2018 (5)
- October 2018 (4)
- September 2018 (3)
- August 2018 (3)
- July 2018 (4)
- June 2018 (4)
- May 2018 (2)
- April 2018 (4)
- March 2018 (5)
- February 2018 (3)
- January 2018 (3)
- December 2017 (2)
- November 2017 (4)
- October 2017 (3)
- September 2017 (5)
- August 2017 (3)
- July 2017 (3)
- June 2017 (4)
- May 2017 (4)
- April 2017 (2)
- March 2017 (4)
- February 2017 (2)
- January 2017 (1)
- December 2016 (1)
- November 2016 (4)
- October 2016 (2)
- September 2016 (4)
- August 2016 (5)
- July 2016 (3)
- June 2016 (5)
- May 2016 (3)
- April 2016 (4)
- March 2016 (5)
- February 2016 (4)