SoylentNews

Freeman [soylentnews.org] writes:

https://arstechnica.com/security/2023/08/homeland-security-details-how-teen-hackers-breached-some-of-the-biggest-targets/ [arstechnica.com]

A ragtag bunch of amateur hackers, many of them teenagers with little technical training, have been so adept at breaching large targets, including Microsoft, Okta, Nvidia, and Globant, that the federal government is studying their methods to get a better grounding in cybersecurity.

The group, known as Lapsus$, is a loosely organized group that employs hacking techniques that, while decidedly unsophisticated, have proved highly effective.
[...]
Rather than compromising infrastructure used to make various MFA services work, as more advanced groups do [arstechnica.com], a Lapsus$ leader last year described his approach to defeating MFA this way: “Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.”

On Thursday, the Homeland Security Department’s Cyber Safety Review Board released a report [cisa.gov] that documented many of the most effective tactics in the Lapsus$ playbook and urged organizations to develop countermeasures to prevent them from succeeding.
[...]
The report contains a variety of recommendations. Key among them is moving to passwordless authentication systems, which presumably refer to passkeys [arstechnica.com], based on FIDO2. Like all FIDO2 offerings, passkeys are immune to all known credential phishing attacks because the standard requires the device that provides MFA to be no further than a few feet away from the device logging in.

Original Submission