An anonymous reader quotes a report from CNN: A group of teenage hackers managed to breach some of the world’s biggest tech firms last year by exploiting systemic security weaknesses in US telecom carriers and the business supply chain, a US government review of the incidents has found, in what is a cautionary tale for America’s critical infrastructure. The Department of Homeland Security-led review of the hacks, which was shared exclusively with CNN, determined US regulators should penalize telecom firms with lax security practices and Congress should consider funding programs to steer American youth away from cybercrime. The investigation of the hacks — which hit companies like Microsoft and Samsung — found that, in general, it was far too easy for the cybercriminals to intercept text messages that corporate employees use to log into systems. […]
“It is highly concerning that a loose band of hackers, including a number of teenagers, was able to consistently break into the best-defended companies in the world,” Homeland Security Secretary Alejandro Mayorkas told CNN in an interview, adding: “We are seeing a rise in juvenile cybercrime.” After a series of high-profile cyberattacks marked his first four months in office, President Joe Biden established the DHS-led Cyber Safety Review Board in 2021 to study the root causes of major hacking incidents and inform policy on how to prevent the next big cyberattack. Staffed by senior US cybersecurity officials and executives at major technology firms like Google, the board does not have regulatory authority, but its recommendations could shape legislation in Congress and future directives from federal agencies. […]
The board’s first review, released in July 2022, concluded that it could take a decade to eradicate a vulnerability in software used by thousands of corporations and government agencies worldwide. The second review, to be released Thursday, focused on a band of young criminal hackers based in the United Kingdom and Brazil that last year launched a series of attacks on Microsoft, Uber, Samsung and identity management firm Okta, among others. The audacious hacks were often followed by extortion demands and taunts by hackers who seemed to be out for publicity as much as they were for money. The hacking group, known as Lapsus$, alarmed US officials because they were able to embarrass major tech firms with robust security programs. “If richly resourced cybersecurity programs were so easily breached by a loosely organized threat actor group, which included several juveniles, how can organizations expect their programs to perform against well-resourced cybercrime syndicates and nation-state actors?” the Cyber Safety Review Board’s new report states. Lapsus$, as well as other hacking groups, conduct “SIM-swapping” attacks that can take over a victim’s phone number by having it transferred to another device, thereby gaining access to 2FA security codes and personal messages. These can then be used to reveal login credentials and access financial information.
“The board wants telecom carriers to report SIM-swapping attacks to US regulatory agencies, and for those agencies to penalize carriers when they don’t adequately protect customers from such attacks,” reports CNN.
