CISA outlines guidance to prevent big tech being hacked again so easily

These are the lessons to be learned from the Lapsus$ attacks, CISA tells businesses

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The US Cybersecurity and Infrastructure Security Agency (CISA) has published anew reportrecommending that businesses make some changes to their security in light of the infamous Lapsus$ attacks.

Lapsus$ is a threat group that used a range of relatively simple tactics to breach some of the biggest names in tech, includingMicrosoft,Nvidia, andSamsung. It was also responsible for leaking content from Rockstar Games' upcoming video gameGrand Theft AutoVI.

Seven people in connection with Lapsus$, aged between 16 and 21, werearrestedlast year, but the group has claimed since that it is still active, and CISA warns that it and other similar threat actors are able to use “a playbook of effective techniques” to launch attacks to a “great and wide effect.”

SIM swapping and passwordless

Chief among the Lapsus$ tactics was sim swapping, whereby attackers managed, via social engineering attacks and other methods, to access incoming messages from phones belonging to employees at the target firm, in order to receive valuable info such as two-factor authentication codes delivered via SMS.

CISA therefore wants the Federal Trade Commission and Federal Communications Commission to “mandate and standardize best practices to combat SIM swapping,” as well as imploring cell operators to “better protect their customers by implementing stringent authentication methods.”

Microsoft may be the latest victim of Lapsus$>Lapsus$ hackers are “back from vacation” as Globant hit>This British teenager is apparently the mastermind behind Lapsus$

This could include letting users lock their accounts out of SIM swaps, requiring strong verification procedures to allow them, and letting them see a record of what SIM swaps have occurred.

To further combat the issues, CISA also suggest that companies adopt passwordless solutions, which require no credentials or multi-factor authentication codes that can be intercepted.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Passkeys are the current favorite, with their FIDO 2 standards set by the FIDO Alliance, a cross-industry association featuring all the names in big tech on the board of members, includingApple,Amazon,Google, and Microsoft. Many of thebest password manageroptions are also starting to support eh use of passkeys, including Dashlane, 1Password and Bitwarden.

They work by storing a cryptographic key on your device, which is not known to anyone. It is combined automatically with the pubic key of the service the user is trying to access their account for, granting them access.

All that’s needed to authenticate the login is whatever is used to lock the device itself. Typically, in the case of smartphones, this means biometric data, such as a fingerprint or facial recognition. A physicalsecurity keycan also be used.

As the known operators within Lapsus$ were so young, CISA also suggests that a Congress-funded prevention programs should be launched to stop juveniles getting involved with cybercrime, as well as redirecting those already involved away from it.

Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he had experience with productivity-enhancing hardware, ranging from keyboards to standing desks. His area of expertise lies in computer peripherals and audio hardware, having spent over a decade exploring the murky depths of both PC building and music production. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.

New fanless cooling technology enhances energy efficiency for AI workloads by achieving a 90% reduction in cooling power consumption

Samsung plans record-breaking 400-layer NAND chip that could be key to breaking 200TB barrier for ultra large capacity AI hyperscaler SSDs

Anker Nebula Mars 3 review: A powerful and truly portable projector