Latest T-Mobile Attack Underscores Value of PKI Authentication

The teenage hacker group LAPSUS$ used stolen or purchased passwords to infiltrate T-Mobile’s systems multiple times in March 2022. This goes to show why companies can no longer rely on password-based security measures   

What’s worse than a bunch of teenagers stirring up trouble with pranks? When those “idle hands” decide to use stolen or compromised employee credentials to steal a cellular provider’s source code and try to take over customers’ accounts. Unfortunately, that’s exactly what happened recently when the teenaged hacker group LAPSUS$ gained access to an unknown number of T-Mobile employees’ credentials and used them to access sensitive code and systems.

The attackers accessed the cellular company’s internal systems — including an internal software that controls SIM porting — to try to “SIM swap” FBI and other government-related accounts. (“SIM swapping” occurs when an attacker ports the SIM card number from a legitimate mobile device to one they control to bypass multi-factor authentication [MFA] and gain unauthorized access to accounts associated with that phone number.)

Thankfully, the attackers were unsuccessful in gaining access to government accounts due to some secondary account permission requirements that were in place. But that’s not always going to be the case. Let’s explore what happened and why this incident serves as yet another example of why relying on traditional usernames and passwords (or even SMS-based MFA) can be a big risk for organizations and their customers.

Let’s hash it out.

The Bad News: Hackers Used Employee Credentials to Access T-Mobile’s Critical Systems

Cybersecurity journalist Brian Krebs put a spotlight on some of the recent activities of the teen hacker group LAPSUS$, which includes multiple hacks of T-Mobile in the month of March 2022. (Check out his article for copies of those screenshots and a more in-depth look at the T-Mobile breach.)

But who (or what) is LAPSUS$? It’s likely you’ve seen the name in the news or the results of their hacking and extortion escapades in recent months. But if you haven’t, LAPSUS$ is a ransomware group (largely made up of teenagers) that came onto the scene by hacking into government agencies and organizations in Brazil, Latin America, and Portugal. Now, the group seems to have switched gears and primarily focuses on tech giants in the United States and abroad, including:

LAPSUS$ is known for stealing sensitive data. They then turn around and use the data as leverage to try to swindle extortion payments from the organizations they stole it from. In particular, they have a penchant for using legitimate credentials that they’ve stolen or bought from other bad guys. And that’s what we want to focus on here today.

What we want to point out, in particular, is that Krebs’ research shows that the hackers would sweet-talk, trick, or otherwise manipulate employees into handing over their credentials. In some cases, they’d even buy them outright from other hackers online.

Do we know how many accounts were compromised? Nope. But the truth is that it doesn’t matter — all it takes is one strategically placed ace for the whole house of cards to fall down.

The Ugly Truth: Credential Theft Will Be an Issue So Long as We’re Using Passwords

Data is currency in our digital world. Whether it’s intellectual property or login credentials, bad guys are always looking to get their hands on every piece of sensitive data they can find. But sitting in front of a computer hour after hour, day after day, for months at a time trying to break through your IT security defenses isn’t cost effective for cybercriminals. Nah, they’re often looking for a faster pay day, and that route is incredibly tedious.

A more efficient route is often to exploit vulnerabilities that exist within your system — and doing that includes targeting your employees. Proofpoint reports in its 2022 Cost of Insider Threats Global Report that more than half 56% of security incidents stem from employee negligence. This comes with an annualized cost of $6.6 million over a 12-month period or a cost of $484,931 per incident.

Now, compare this to criminal insiders and incidents involving stolen credentials:

• 18% of incidents are related to credential theft, which have an annual cost of $4.1 million or an average cost of $804,997 per incident.
• 26% of incidents are due to criminal insiders and come with an annual price tag of $4.6 million or an average cost of $648,062 per incident.

Password-based authentication is risky because it’s vulnerable to human-targeting attacks (e.g., social engineering attacks) as well as other tactics (keyloggers and other password-stealing malware programs, brute force attacks, etc.).

Ask yourself: Why would cybercriminals (especially impatient teenagers) want to go to all of the trouble of trying to break their way through a locked, steel-plated back door when you’ll let them walk through your open front door?

The Good News: Some Bad Guys (and a Bad Site) Have Gotten Caught and Shut Down

That was a lot of bad news to take in. But don’t fret — we’ve got some positive news to share (as well as some helpful recommendations to offer momentarily):

• The FBI announced earlier this month (April 12, 2022) that they seized RaidForums, “one of the world’s largest hacker forums” cybercriminals use to buy and sell stolen data. This site was known for housing data LAPSUS$ (and other hackers) wanted to keep off their home devices.  
• BleepingComputer reported near the end of March 2022 that seven suspected members of LAPSUS$ were arrested in the United Kingdom. To date, two have been charged although their names are withheld due to their ages (16 and 17).

Yes, we get it. It’s a drop in the bucket compared to all of the cyber crimes going on out there in the wilds of the internet and dark web. But, hopefully, we’ll see justice served if the teens are found responsible for the attacks (at least in part).

The Takeaway: Make Your Organization More Secure with Account Management

In case you’ve not gotten the memo: employees are people, people are humans and, well, we make mistakes. But the good news is that there are things you can do to help strengthen your defenses against these human-based vulnerabilities.

• Use strong access controls and access management policies. Controlling who has access to what is at the core of access management. When you combine that with verifiable digital identities, it means creating profiles for your employees and setting access privileges based on what access they need to do their jobs. This is at the heart of the principle of least privilege. Also be sure to deactivate accounts when employees leave your organization.
• Set strict password creation and rules. Configure your password security systems and policies to prevent the use of duplicate passwords. Require longer passwords because they’re harder to crack than shorter ones. Be sure to blacklist passwords that have leaked or breached online or are found in common password lists. Store only salted password hashes (never plaintext passwords).
• Remember that MFA isn’t 100% secure. While multi factor authentication adds an additional layer of security to your authentication process (so long as it’s properly configured), it isn’t foolproof. NIST warned against the use of SMS-based MFA as a second authentication factor at one point, even considering deprecating its usage altogether (although they later backpedaled on that decision), due to concerns about risks associated with that delivery method. In March 2020, the FBI and CISA released a joint advisory warning that Russian state-sponsored actors have exploited a vulnerability that allowed them to bypass MFA protocols.
• Bypass the use of passwords with PKI-based authentication. One way to avoid the password security and phishing problem is to not use passwords to secure accounts. If your employees use client authentication certificates instead to authenticate, they get to login without having to remember tricky passwords (that can be phished) and your organization gets to enjoy stronger security. Seems like a win-win to me.
• Use live network monitoring tools to keep an eye on traffic. If you’re seeing unusual traffic or increased login attempts for your users’ accounts, it could be a sign of brute force attacks or that the accounts have been compromised. Use tools that help you monitor and make sense of all the “noise” these systems generate.  
• Set rules to lock accounts that have too many failed login attempts. People make mistakes when typing in their passwords. But if there are many repeated attempts, it could be an indication that something nefarious is going on.