When we think of “nation-state APTs” breaking into Fortune 500s, they don’t usually think of a young person with a mobile phone that is prepaid and a passion to social engineering. But numerous headline-grabbing breaches in the past few years demonstrate precisely that: youthful attackers leveraging low-tech methods to bypass costly security measures–and later, roaming inside systems like they owned them.
This post outlines the events that took place in the now-famous teenager-led attack, how it worked, and offers a practical, non-hand-wavy defense strategy that you can implement now. There are no tech-savvy “how-to hack” steps–only the defense plan of the defender.
The shorter version
-
The attacker began with identity not zero-days: stolen credentials + the fatigue of MFA-based pushes plus convincing messages that resembled IT support.
-
After logging in the group, they made themselves known in an internal message board and then shifted between the cloud and administrative tools–because the trust boundaries within the organization were insufficient.
-
The same group (Lapsus$) frequently utilized SIM swaps and credit markets, insider recruiting as well as low MFA circulation against companies with household names.
-
In another case widely covered in the media, an unreported British teenager broke into a game studio’s internal communications by using a TV in a hotel and an internet streaming device–a warning that persistence is more important than the most sophisticated.
A case study in the field of modern social engineering
Access to the initial account:
The credentials were obtained from an underground marketplace. MFA stopped the initial login, and the attacker targeted the employee with prompts via push and then followed up with WhatsApp pretending to be IT from the corporate office (“please allow us to stop these notifications”). A few taps later the door was unlocked. This is the classic MFA prompt blasting pattern.
Making a presence
By using SSO accessibility, the hacker was able to access tools and chat within the company, posted a bold “I’m a hacker” message in Slack and displayed screens that indicated the access of administrative consoles as well as cloud resources. The story made headlines, but it also showed how much lateral mobility one portal could allow.
The bigger picture: the same tactics, but different goals Investigative investigations into Lapsus$ revealed a common plan of attack that included tricking users to get their SIMs swapped, fatigue MFA, SIM-swap target, pay insiders bribes in addition to living off of the earth after being inside. These weren’t nefarious attacks They were processes and identity failures that were used in the fight against Okta, Microsoft, Nvidia and others.
“But do teens really do this?”
Courts found that a 18-year-old connected to Lapsus$ committed prominent security breaches. In addition, Arion Kurtaj (then was a teenager) was able to hack into a major gaming production company’s system and released unauthorized content – reportedly using just an hotel television, a cell phone as well as the Amazon Fire TV Stick to connect to corporate chat. Different org, similar design: identity + social engineering, and loose trust within the company.
How did this work? (in simple language)
-
Users are your border.
If your login process allows an enticing message overcome doubts of a user that the attacker isn’t in need of malware. -
Push-based MFA can be noisy, but it is not phishing-proof.
Attackers use prompts to create a weapon; users simply need the sound to end. (MITRE ATT&CK refers to this as MFA the generation.) -
A flat trust within the castle.
Once passed SSO Access to the internet is too broad and long-lived sessions transform one phish lucky enough to become a company-wide reach. -
Cloud/admin consoles amplify the power.
IDPs tickets, CI/CD cloud dashboards – all just a step at a time when SSO is the only security lock.
The blueprint of the defender (phased realistic, realistic, orders-of-operations)
Phase 0 — Instant solidification (this week)
-
Change push MFA to secure MFA that is phishing-resistant for administrators or remote access. Prior to that, you need WebAuthn/FIDO2 or passkeys for the platform. Make sure to keep OTPs strictly for break-glass purposes.
-
Challenge in the context of: block or step-up on unattainable travel, brand new devices, or potentially dangerous IPs.
-
kills the old authentication (POP/IMAP/Basic) or SMS in roles with high-privilege.
-
Reduce the duration of SSO session for administrative apps and require re-auth after the elevation of privileges.
Phase 1 – Radius of shrinkage (next 30-45 days)
-
Segment identities and administration levels: separate user, helpdesk and super-admin roles. eliminate standing global admin.
-
Adopt the Just-In-Time (JIT) access with approvals and time-boxed access.
-
Limit lateral movement Per-app Conditional Access. limit who has access to your IdP ticketing cloud, CI/CD, and secrets managers, from where.
-
The hardening of chat and Collaboration: block “external app” links, limit the reach of tokens, and safeguard announcement channels.
Phase 2 -• Detect and respond (next one-quarter of a year)
-
Identification rules for identity theft:
-
Unique MFA pattern (many denies, one approves)
-
New MFA factor added to new device/geolocation
-
Mass group grant
-
OAuth app consent increases; token misuse
-
-
Playbooks for Containment: disabling sessions, erase refresh tokens and block the device or user risk; rotate the OKTA/Azure/Google administration credentials; block the jump hosts.
-
Train the muscles: run a tabletop exercise on MFA tiredness and the Purple-Team recreation for “compromised helpdesk – SSO.”
3. Make it more difficult to deceive humans
-
Security UX that blocks phishing: train users that IT will not DM to obtain MFA approvals and put the policy in writing and within the login interface.
-
Number-matching and MFA that is device-bound (as a temporary improvement).
-
Helpdesk verification procedures: require two live controls (ticket + callback to the directory number) prior to modifying the variables.
What should leaders be tracking? (non-vanity KPIs)
-
10% of employees use MFA that is phishing-resistant (target 100 percent for administrators, and 80 percent+ to all customers).
-
Administration accounts that are standing (target – 0.) and the average duration of high-speed sessions.
-
Median time between the suspicious MFA to accounts being suspended (minutes not days).
-
Critical apps % behind Conditional Access and device trust.
-
The number of OAuth applications that have org-wide approval (must be at a minimum and examined).
Bonus: pressure-testing your environment (safe exercises)
-
Helpdesks that red-team Can a caller create an element using only a name and employee ID?
-
Use the “MFA fatigue” micro-drill: simulate floods of prompts and determine whether users are aware to deny and file a report (and the extent to which SecOps is aware of it).
-
trace SSO’s blasting radius Choose a user that is standard, and list the cloud and SaaS consoles that are accessible after login, and restrict policies if it’s too wide.
The unsettling truth
Despite all the hype about AI-powered super-malware the cheapest and fastest way to become a major company is identity theft and the use of social engineering. This is why a teenager, without sophisticated exploits, has been able to infiltrate companies that spend millions of dollars on security.
The positive news? This can be fixed through configuration, process and practice and not just budget.
Additional reading on the incidents and strategies
-
Uber’s breach in 2022 and the role played by MFA fatigue and WhatsApp Social engineering and the Slack message of an attacker and the extent of internal access.
-
Lapsus$’s tradecraft is broader: SIM-swapping, insider recruitment, MFA fatigue against major vendors; official analysis.
-
MITRE ATT&CK on MFA request generation (a.k.a. pushing bombing).
-
The Rockstar/GTA VI case: teen hacked internal comms by using the hotel TV as well as a TV stick Legal outcomes.
