Lapsus$, MFA Bombing, and Human Behaviour

As cybersecurity departments bucket money into solutions that improve network security, highly exploitable staff keep letting attackers in. Malicious actors know your users are your weakest link, and if you think their trickery is becoming sophisticated, you ain't seen nothing yet.

First Published 4th October 2022  |  Latest Refresh 5th April 2023

Lapsus$, MFA Bombing, and Human Behaviour

"Your 48th one-time-password is...".

4 min read  |  Reflare Research Team

Kids today

On September 22, a 16-year-old teenager was arrested in Oxfordshire, UK and charged with breach of bail and computer misuse as part of a hacking investigation. Days earlier, a cyber threat actor managed to access Uber's internal network and systems, including the company’s corporate Slack channels, forcing the ride-hailing giant to reveal the details of the breach.

Uber was not the only major company breached that week. Rockstar Games, a prominent American video game publisher based in New York City, also reported a breach that saw internal files, including videos related to their highly anticipated upcoming game Grand-Theft Auto 6, leaked online.

Interestingly, this is likely the same teen who was arrested earlier this year for being the leader of the Lapsus$ gang, a cybercrime group predominantly comprised of teenagers between the ages of 16-21.  Despite their age, the group members made headlines for breaching corporations such as Okta, Nvidia, Samsung, Mercado Libre, Ubisoft, T-Mobile, Microsoft, and Globant.

A list like that would make anyone believe that these teenagers' technical sophistication might rival those of state-sponsored threat actors. But the grim reality is that their modus-operandi is anything but technically sophisticated. Lapsus$ proved that despite all the high-tech and multi-layered security products deployed by these organisations – humans remain the weakest links by targeting the employees of these companies with social engineering attacks.

Exploiting the meatbag

'Manipulating the human' was indeed the case with Uber, where one of its external contractors became the victim of MFA (Multi-Factor Authentication) fatigue. MFA fatigue results from a form of social engineering attack known as MFA bombing that involves spamming a target with repeated MFA requests until they eventually authorise access out of frustration. 

However, to perform an MFA bombing attack successfully, it requires the threat actor to already have access to the victims' login credentials. In the case of the Uber breach, these credentials were acquired from an underground marketplace.

Uber is not alone this year in becoming the victim of a successful social engineering attack. Cisco has also confirmed that they were breached by a ransomware gang. This happened because an employee’s personal Google account, which contained passwords synced from their web browser, was compromised. From there, the threat actors successfully performed a voice phishing attack - and MFA bombing.

The CISO strikes back

Many lessons can be learned from the misfortune of those like Uber and Cisco. The good news is that companies are taking notes. Budgets being allocated to CISOs for security products to secure their network are on the rise.

However, threat actors are rising to meet this challenge by becoming more sophisticated in their cyberattacks, primarily through designing more creative and ambitious social engineering attacks. (sad_trombone).

Humans have always been the weakest link in cybersecurity resilience, and malicious actors are doubling down on exploiting this more than ever. Attackers understand that cybersecurity capability training often falls under the ‘Learning and Development’ budgets that reside in Human Resource or Talent Management functions.

Although the leaders of these functions are incredibly well-intentioned, they are usually controlled by people who a) have very little awareness of cybersecurity, and b) possess a minimal understanding of what is needed to address the real problem.

And as long as this remains the case, attackers will continue to exploit humans, and humans will continue to be the weakest link.

This is why we need your help. Yes... YOU!!

Forward the following text to your L&D department (please)

It is increasingly essential that companies invest in the proper cybersecurity awareness training for their employees and third-party users. But it’s even more critical that those in charge of Learning and Development understand precisely what they are training for, and why.

Cybersecurity awareness training is not just about ticking the ‘audit and compliance’ box to complete a 360° performance review. Nor is it just about ‘how to identify phishing emails’. There are many different cybersecurity topics that L&D leaders must be able to identify, understand, and implement solutions for.

Furthermore, as malicious actors continue to exploit staff with increasingly sophisticated attacks, the sophistication and customisation of corporate IT security training solutions must also involve.

To begin addressing the behaviour risks in your users, the following topic list should be viewed as a starting point for the ‘very basics’ that you, at an absolute minimum, should be training for.

Removable Media

Removable media security awareness training can help your employees understand the risks of using portable devices, such as USB flash drives. The training aims to help employees understand how to keep data and their system safe and secure when using removable media, and to encourage them to follow best practices when working with these devices.

Passwords and Authentication

Passwords and Authentication security awareness training is essential for any organisation that wants to protect its data and accounts. The training helps employees learn best practices for creating and managing passwords and using two-factor authentication. The training covers topics such as how to create strong passwords, how to store passwords securely, and how to use two-factor authentication to protect accounts. By investing in this training, organisations can ensure that their employees know the importance of password security and take the necessary measures to protect their data.

Mobile Device Security

As the use of mobile devices continues to grow, so do the risks associated with their use. Mobile devices are often used for sensitive tasks such as accessing email, storing important files, and making online purchases. This makes them a prime target for criminals looking to steal sensitive information. Mobile Device security awareness training can cover a variety of topics, including the risks associated with using mobile devices, how to protect oneself and one’s organisation from the risks associated with using mobile devices, the importance of keeping mobile devices up-to-date with security patches, the importance of encrypting data on mobile devices, how to use mobile devices securely when travelling, and how to spot and report suspicious activity and behaviour related to mobile devices.

Home Security

Working remotely has become popular recently due to the pandemic and technologies making it easier for employees to stay connected to their work from anywhere. While working remotely can have many benefits, it's essential to be aware of the security risks that come with it. Security awareness training that covers remote work can help employees understand how to stay safe when working from home. Effective training typically covers topics such as setting up a secure home office, keeping work and personal computers and devices safe, protecting information when working at home, and preventing the leaking of sensitive corporate data to friends or family members.

Social Engineering

A good security social engineering awareness training typically covers common techniques used in social engineering attacks, including phishing, baiting, quid pro quo, and tailgating. Phishing involves sending emails or other messages that appear to be from a legitimate source to trick the recipient into revealing confidential information or clicking on a malicious link. Baiting involves leaving USB drives or other media containing malicious software in public places in hopes that someone will pick them up and insert them into a computer. Quid pro quo involves offering something in exchange for access to confidential information or systems. Tailgating, also known as piggybacking, consists of following someone into a secure area without proper authorisation.

You can train tech and non-tech staff on many other IT security topics. To evaluate which topic areas are best aligned with your organisation's needs, use this framework to specifically identify what you should be training for.

Consider subscribing to our biweekly research newsletter to stay up to speed on the latest cybersecurity L&D.

Additionally, you can explore some of our related articles to learn more.

Subscribe by email