Through 2021 – 2022, multiple government agencies and big tech businesses, including Microsoft, Nvidia, and Uber, were victims of hacking by the Lapsus$ group. A recent report from the Cyber Safety Review Board (CSRB) found that the extortion-based hacker group was able to access sensitive information due to weak Multifactor Authentication (MFA) methods, including SMS and voice-call authentication codes, along with using stolen login credentials purchased online.
This “collective failure” to account for risks is just one of the many weak identity management technology areas that have left data and networks vulnerable to track, and the CSRB is urging government agencies in particular to modernize their MFA methods.
The report stated that “organizations that used application or token-based MFA methods or employed robust network intrusion detection systems, including rapid detection of suspicious account activity, were especially resilient” to attacks.
Chris DeRusha, the federal chief information security officer and member of the CSRB, was particularly emphatic in pushing the government to adopt phishing-resistant MFA in its protocols.
“It’s time for everybody to move off of that SMS stuff,” he said. “It’s getting hijacked by automated tools…[it’s] just like driving without seatbelts, and we shouldn’t be doing that.”
DeRusha does acknowledge that many agencies, who are working with outdated tech, will find implementing phishing-resistant MFAs to be difficult or even impossible. He’s advocating for a 10-year modernization strategy for legacy IT, to bring security up to modern standards.
In a conference hosted by FCW/NextGov, he pointed to the similar case of the recent Microsoft Exchange Online intrusion, where suspected Chinese hackers were able to steal a private Microsoft encryption key and forge authentication tokens in order to access the email accounts of Commerce Secretary Gina Raimondo and other high-level officials.
“When you look at state of play out there, and you look at the types of attacks our adversaries are employing…identity needs to be the first starting point,” DeRusha said. Both he and the CSRB pointed to this incident as a key reason for government officials to take strong identity management seriously.
Currently, the CSRB has recommended that technology providers immediately begin transitioning away from text and voice-based MFA, and that governments should work with the tech industry to create a “roadmap” leading to “a world without passwords.” The White House, the National Institute of Standards and Technology, and the Cybersecurity and Infrastructure Security Agency have all been urged to lead the effort.
“This roadmap should include standards and frameworks, guidance, tools, and technology specific to organizations’ needs and circumstances that account for size, industry, threat profile, as well as privacy and civil liberties considerations,” enabling these organizations to progress to a more modern, secure method of MFA.
In the coming weeks, the CSRB plans to review the Microsoft incident, along with “a broader review of issues relating to cloud-based identity and authentication infrastructure.”