The Dire Warnings in the Lapsus$ Hacker Joyride

“At the end of the day, the flexibility of how you can abuse corporate accounts to move laterally and pivot over to other applications in the cloud—there are just so many different ways that attackers can use enterprise credentials,” says Crane Hassold, director of threat intelligence at Abnormal Security and a former digital behavior analyst for the FBI. “That’s why phishing is so extremely popular with cybercriminals, because of that return on investment.”

There are stronger ways to implement two-factor authentication, and the new generation of “password-less” login schemes or “Passkeys” from the industry FIDO2 standard promise a much less phishable future. But organizations need to actually start implementing these more robust protections so they’re in place when a ransomware actor (or restless teen) starts poking around.

“Phishing is obviously a huge problem, and most of the things that we normally think of as multifactor authentication, like using a code generator app, are at least somewhat phishable, because you can trick someone into revealing the code,” says Jim Fenton, an independent identity privacy and security consultant. “But with push notifications, it’s just too easy to get people to click ‘accept.’ If you have to plug something directly into your computer to authenticate or use something integrated with your endpoint, like a biometric sensor, those are phishing-resistant technologies.”

Keeping attackers from clawing their way into an organization through phishing isn’t the only problem, though. As the Uber incident showed, once Lapsus$ had compromised one account to gain access, they were able to burrow deeper into Uber’s systems, because they found credentials for internal tools lying around unprotected. Security is all about raising the barrier to entry, not eliminating all threats, so strong authentication on external-facing accounts would certainly have gone a long way toward stopping a group like Lapsus$. But organizations must still implement multiple lines of defense so there’s a fallback in case one is breached. 

In recent weeks, former Twitter security chief Peiter “Mudge” Zatko has publicly come out as a whistleblower against Twitter, testifying before a US Senate committee that the social media giant is woefully insecure. Zatko’s claims—which Twitter denies—illuminate how high the cost could be when a company’s internal defenses are lacking.

For its part, Lapsus$ may have a reputation as an outlandish and oddball actor, but researchers say that the extent of its success in compromising massive companies is not just remarkable but also disturbing.

“Lapsus$ has highlighted that the industry must take action against these weaknesses in common authentication implementations,” Demirkapi says. “In the short term we need to start by securing what we currently have, while in the longer term we must move toward forms of authentication that are secure by design.”

No wakeup call ever seems sufficiently dire to produce massive investment and quick, ubiquitous implementation of cybersecurity defenses, but with Lapsus$ organizations may have an additional motivation now that the group has shown the world just how much is possible if you’re talented and have some time on your hands. 

“Cybercriminal enterprises are exactly the same as legitimate businesses in the sense that they look at what other people are doing and emulate the strategies that prove successful,” Emsisoft’s Callow says. “So the ransomware gangs and other operations will absolutely be looking at what Lapsus$ has done to see what they can learn.”