Cyberattacks have been in mainstream news again in recent weeks, as the hacker group Lapsus$ has launched several successful attacks against major companies. Recently, police in Oxfordshire arrested an unnamed seventeen-year-old known by the alias Tea Pot who has been credited as the one responsible for these notable attacks. For those familiar with common penetration testing techniques, the methods used in this attack may sound very familiar.
Lapsus$ has been seen to use common social engineering techniques when attempting to breach companies’ defenses. In one of their more recent attacks, the Lapsus$ member obtained the credentials of an employee working for the target and attempted to gain access to the employee’s account. However, the attacker was initially stopped by two-factor authentication. When the attacker attempted to log in to the account, the employee received a cell phone notification stating that someone was attempting to access the account. Initially, the employee declined.
However, the attacker was persistent and continued trying to gain access. After repeated failures, the attacker contacted the employee, posing as a member of the company’s IT team via the messaging platform WhatsApp and instructed the employee to accept the two-factor authentication prompt. The employee believed the story, accepted the notification, and thereby granted access to the attacker.
Having gained the initial access necessary, the attacker was able to use a number of elevation-of-privilege techniques to gain additional access to internal systems and other accounts, opening up a whole trove of information. The full extent of the attack is yet to be determined, as impact analysis is ongoing. However, it seems that the attacker did less harm than they were capable of, suggesting that this attack was not motivated by monetary gain, and may have been an attack that sought notoriety or excitement.
So, what can we learn from an attack like this? Well, for starters, it’s important to remember that though the targeted companies had all of the proper protocols in place to prevent an attack like this, the attacker was still able to find a way in. It sounds like a losing battle to try and combat risk if we acknowledge that our risk is never zero, but that is simply a fact.
Now that doesn’t mean it’s okay to ignore security best practices. We still need to employ multi-factor authentication and other methods of protecting ourselves. However, we have to keep in mind that it might not be enough and that we must always act with caution. This attack may not have been successful if the employee had taken the time to verify the identity of the person messaging them on WhatsApp. That’s why it’s important to remember common social engineering tips to help you and your company avoid becoming victims of social engineering attacks:
- If a message or request departs from the type of message or request you would normally expect to receive, this should indicate that something suspicious is going on. It is incredibly rare that IT would reach out to you to fix something that you were not aware was an issue.
- There are exceptions to every rule, but in general, nobody ever needs access to your account for anything. If someone is trying to gain access to your account, it is wise that you refuse unless you can absolutely verify the individual and their purpose with 100% certainty.
- If someone is trying to gain sensitive information from you, it is absolutely essential that you verify them as a trustworthy individual. Ask the name of their supervisor. When they give you an answer, don’t just accept it either. Look up the individual in question, reach out to them, and confirm that the person you’re speaking to has been authorized to perform the action they claim they have been.
- Always remain diligent. Hacker groups such as Lapsus$ have been known to perform attacks such as the ones described above for the sake of fun. There may not always be a clear motive, and seemingly commonplace interactions could be putting you at risk if the necessary verification is not performed.
These tips, along with the implementation of proper defenses should help you from becoming the next victim of a cyberattack.