• JIT Access
        • Self Service Secure Passwordless Authentication

        • JIT Policies
        • Effective Access Policy Control for your entire organization

        • PAM
        • Simplified Privileged Access Management for the cloud and onPrem

        • JIT Approvals
        • Secure Custom Non Repudiation Approvals Management

        • Healthcare
        • Learn how to completely secure the Healthcare environment.

        • Legacy Devices
        • Learn how to leverage our JIT platform to secure your legacy and IOT devices.

        • Vulnerability Mitigation
        • Discover how using JIT Access and PAM can prevent a variety of CVE’s and attacks.

        • Compliance
        • Learn more about how our audit and compliance tools can help you maintain compliance.

        • Passwordless
        • Going passwordless doesn’t have to be hard. Find out how we can get you up and running fast.

        • Protecting Users with Intent
        • Upgrade your security, reduce costs and empower your users by capturing intent.

Hack the hacker series: Recent cyber breaches by Lapsus$ and SolarWinds could have been avoided

What can we learn about 2 serious, high-profile MFA bypass and passwordless hacks?

There’s a lot of talk whenever serious cyber breaches make the news. Companies assure stakeholders they’ll improve security measures and cybersecurity tech providers promise solutions. 

Damage control as a result of fear can easily become cybersecurity theater to make people feel safer, rather than actually improving security.

While cyber breaches can be devastating and are better avoided, they can also teach us how attackers work and identify vulnerabilities. Two high-profile breaches like SolarWinds and various Lapsus$ attacks reveal some problems in today’s security standards. 

Here are some lessons learned and ways to avoid the kind of cybersecurity theater that claims any given tech solution is a fix-all.

What happened with Solarwinds

One of the most shocking security breaches in recent years was a software supply chain attack exposed in December of 2020. It compromised 18,000 SolarWinds customers, including Fortune 500 companies and government agencies, allowing hackers access to sensitive information for more than nine months.

18,000 SolarWinds customers, including Fortune 500 companies and government agencies, were infiltrated via a software supply chain attack, allowing hackers access to sensitive information for more than nine months

This attack was executed over an extended period as a Russian-state hacking group known as Cozy Bear infiltrated SolarWinds and embedded malicious code into a software update. Orion is a network monitoring tool that thousands of SolarWinds customers accepted updates for, unknowingly installing a backdoor with it and exposing their networks.

The cyber breaches continued as attackers used network access gained through the Orion backdoor to steal Microsoft credential tokens, enabling them to impersonate existing users and accounts. A Microsoft report informing users of the breach said the admin permissions were “acquired through an on-premises compromise to gain access to an organization’s trusted SAML token-signing certificate.” This allowed attackers, “To forge SAML tokens that impersonate any of the organization’s existing users and accounts, including highly privileged accounts.”

The same hacking group targeted a think tank organization multiple times as well, using software supply chain and MFA bypass tactics of a similar flavor. The attackers breached the organization’s MFA provider, Duo, through Outlook Web Application (OWA), stealing Duo’s secret key. Ars Technica says, “This key then allowed the attacker to derive a pre-computed value to be set in the duo-sid cookie. After successful password authentication, the server evaluated the duo-sid cookie and determined it to be valid.”

This method of falsely validating credentials meant the attacker only needed a username and password, allowing a complete MFA bypass. When clever attack methods are deployed through trusted third-party software, MFA bypass becomes easy for bad actors and passwordless security like tokens are rendered useless. 

Lessons from these cyber breaches

While it’s true that supply chain attacks are extremely difficult to prevent, that’s not the only element in a complex and sophisticated hack like the SolarWinds breach. There’s a false sense of security in cybersecurity theater measures that assume threats are neutralized with simple “best practices” like using MFA, passwordless solutions, and timely security updates.

Takeaways:

  • The security of trusted vendors is equally as important as your own company’s security

  • Timely software updates are important, but that’s bad news if updates are corrupted

  • Attacks don’t directly hack passwordless cryptographic tokens

  • Small companies may not feel at risk, but they are if they share vendors with other targets

  • Clever hackers have developed many MFA bypass tactics

What happened with Lapsus$

internet hacker group

(source)

Another well-known hacking group is a data extortion gang called Lapsus$. These attackers have also perpetrated many high-profile security breaches on large companies like Microsoft and Nvidia using social engineering to obtain sensitive data in order to ransom it for payment.

In March of 2022, Lapsus$ leaked nearly 190GB of Samsung source code that included algorithms for biometric unlocks on mobile devices and other sensitive information. In the same month, the hacking group also breached Okta, a Single Sign-On service provider, by accessing customer support tickets, Slack messages, and internal user management tools.

190GB Of Samsung source code was leaked Lapsus$ in March of 2022

Many of the MFA bypass strategies that Lapsus$ uses exploit human behavior by getting a user to comply with a request and grant access. This type of social engineering takes various forms.

MFA prompt bombing

MFA is legitimately a strong security measure. That’s why attackers don’t attempt to break directly into accounts. Instead, they exploit gaps at the human level as an MFA bypass method. This can look like:

  • “Bombing” a user with so many MFA prompts that they’re finally annoyed into accepting one

  • Sending few prompts per day, which is less suspicious, but still catches people off guard

  • Calling the user and impersonating IT, requesting MFA access as a company procedure

Obtaining credentials

Lapsus$ also uses other MFA bypass strategies to compromise accounts and data without having to crack MFA head-on. Instead of tricking a user into performing the MFA, attackers obtain credentials in other creative ways like:

  • Using malicious password stealers to get passwords and session tokens

  • Buying passwords and session tokens on the black market

  • Bribing employees, vendors, or partners to hand over credentials and MFA approval

  • Searching public code for unintentionally exposed information

MFA bypass targets human vulnerabilities

phone fingerprint

(source)

Passwordless solutions and MFA are indeed much more secure than simple passwords and logins. But that doesn’t mean cybersecurity theater can’t overstate their effectiveness. No matter what security measures your organization is using, people are still a factor and attackers love to target human vulnerabilities.

These facts should not deter InfoSec officers from crafting the most comprehensive security plans with the best tools and products. It’s simply a reminder that none of those things guarantee security. Shrewd attackers like Lapsus$ are creative and persistent. This means:

  • Using MFA prevents many attacks but not all

  • FIDO2 and other passwordless strategies are quite secure but increase hacker creativity

  • Hackers don’t give up and the landscape is always evolving

  • Gaps between human users and even the best technology can quickly become breaking points

The best tech can’t stop socially engineered cyber breaches

We’ve learned from SolarWinds that software supply chain infiltrations are extremely difficult to catch. Fast software updates for security patches are a good thing, until they’re compromised. And third-party products that are shared by many customers can cause wide, cascading damage.

Lapsus$ has taught us that, yes, MFA is better than no MFA. Both passwordless MFA and SSO can reduce user vulnerabilities — but they don’t completely eliminate them. Social engineering attacks continue to increase and as hackers invent new ways to catch people unaware. Keeping all of this in mind means there’s no single tool or tactic to prevent cyber breaches. Don’t let the cybersecurity theater put you to sleep. Instead, use the best solutions available to you and never stop learning from real-world examples.

Scroll to Top