Uber has attributed final week’s large breach at Uber to the infamous Lapsus$ hacking group and launched further particulars on the assault. Researchers say the incident has highlighted the dangers that may come from trusting an excessive amount of in multifactor authentication (MFA), in addition to unmanaged threat round cloud-service adoption.
In an replace on Monday, Uber laid out the attribution: “We imagine that this attacker (or attackers) are affiliated with a hacking group referred to as Lapsus$, which has been more and more energetic during the last yr or so.” Uber’s announcement pointed to different corporations that had been focused by the infamous gang through comparable strategies, together with Cisco, Microsoft, Nvidia, Okta, and Samsung,
Lapsus$ has attracted appreciable consideration in current months for its brazen assaults on a few of the world’s largest and well-known corporations. One well-known tactic that the group has been identified to make use of is co-opt MFA-circumventing instruments into its assault chain.
And certainly, Uber on Monday mentioned the attacker who breached its community final week had first obtained the VPN credentials of an exterior contractor,
doubtless by buying them on the Darkish Net. The attacker then repeatedly tried to log in to the Uber account utilizing the illegally obtained credentials, prompting a two-factor login approval request every time.
After the contractor initially blocked these requests, the attacker contacted the goal on WhatsApp posing as tech assist, telling the individual to just accept the MFA immediate — thus permitting the attacker to log in.
“The Uber breach seems to be a results of an MFA fatigue assault, additionally known as an MFA bombing assault,” says Duncan Greenwood, CEO of Xage. “It’s a way wherein hackers ship a number of authentication approval requests to a secondary gadget like a cell phone, in hopes {that a} consumer unintentionally offers entry, or grows so annoyed that they ultimately approve a request.”
Remediation Course of Begins
As soon as in, the attacker breached a number of inside methods, and Uber is at present within the strategy of doing an affect evaluation, the corporate mentioned: “The attacker accessed a number of different worker accounts, which in the end gave the attacker elevated permissions to quite a few instruments, together with G-Suite and Slack.”
The corporate mentioned the attacker doesn’t seem to have made any adjustments to its codebase, nor does he seem to have entry to any buyer or consumer information saved by cloud suppliers. The attacker did seem to have downloaded some inside Slack messages and accessed or downloaded an inside software that Uber’s finance crew makes use of to handle invoices. Although the attacker additionally accessed a database of vulnerability disclosures in its platform submitted through exterior researchers by means of the HackerOne bug-bounty program, all of the bugs have been remediated, Uber mentioned.
Breach Reveals MFA’s Weaknesses
Greenwood describes MFA fatigue assaults as being a really efficient tactic for breaching goal organizations. He says his firm has noticed attackers sometimes sending frequent MFA requests in the course of the night time or sending much less frequent requests over a number of days.
“Both method, in conventional MFA architectures, all it takes is only one accredited request for a hacker to entry inside methods, from which they’ll additional infiltrate the goal group,” he says.
Uber’s safety practices are positive to return below scrutiny due to the breach. However the actuality is that the corporate was the sufferer of practices which can be widespread to many organizations, researchers observe.
Patrick Tiquet, vice chairman of safety and structure at Keeper Safety, says the Uber assault highlights a basic false impression round MFA’s power as a way to safe entry.
“Though MFA provides a important second layer of safety to your accounts, the largest false impression about MFA is that every one kinds are equally safe,” he says.
One instance of how MFA can fail is SIM card porting, aka SIM-swapping, Tiquet notes. That is the place attackers port a cellular quantity to a SIM card or gadget that they management to obtain SMS messages or cellphone requires the goal quantity.
“Use of SMS textual content messages as MFA ought to be discouraged and by no means used as MFA for high-value belongings,” Tiquet says. “Using an authenticator app, safety key, or biometrics are stronger and more practical strategies to guard your accounts.”
Safety researcher Invoice Demirkapi explains that one other quite common false impression is that normal types of MFA — similar to push, contact, and cellular — shield towards social engineering. The fact is that MFA stays susceptible to man-in-the-middle (MitM) assaults, he says.
He notes that finest practices embrace utilizing phishing- and MiTM-resistant types of MFA fairly than time-based one-time passwords (TOTP), not centralizing entry keys, and rotating keys recurrently. On the latter level, organizations additionally usually don’t restrict entry keys to the minimal privileges required for the important thing’s meant objective.
“Uber might not have adopted finest practices, however many different corporations do not both,” he says. “The principle level I might prefer to drive house is the significance of not solely investing into safety to your group, however particularly investing into these finest practices as nicely.”
It ought to be famous that the Uber breach isn’t the one high-profile hit in the previous couple of days; the identical Lapsus$ hacker who claimed accountability in that incident (or at the very least somebody utilizing the identical “Teapot” alias that the Uber hacker used) now seems to have additionally breached Take-Two Interactive’s Rockstar Video games, posting movies of an early improvement copy of the Grand Theft Auto 6 online game. In a message, the corporate acknowledged the breach and mentioned it was “extraordinarily disillusioned” to have particulars of the sport leaked prematurely of its launch.
Cloud Service Adoption Will increase Danger
MFA isn’t the one weak hyperlink for a lot of corporations. At the next degree, breaches just like the one at Uber present the affect that fast cloud companies adoption and distributed work fashions are having on enterprise safety methods, says Russell Spitler, co-founder and CEO of Nudge Safety.
The transfer to a extra distributed mannequin has elevated enterprise reliance on asynchronous communications instruments similar to Slack and WhatsApp in business-critical environments, he says. The fast adoption of SaaS has created an unmanaged threat within the type of advanced integrations between poorly managed companies.
“The current breach at Uber factors to the truth that safety orgs are outpaced by the sprawling complexity of recent, distributed IT environments and sprawling digital provide chains,” Spitler notes. “This complexity creates alternatives for even essentially the most novice of menace actors to realize entry utilizing compromised credentials and [finding] their option to important belongings.”
