Uber on Monday disclosed extra particulars associated to the safety incident that occurred final week, pinning the assault on a risk actor it believes is affiliated to the infamous LAPSUS$ hacking group.
“This group sometimes makes use of comparable strategies to focus on expertise corporations, and in 2022 alone has breached Microsoft, Cisco, Samsung, NVIDIA, and Okta, amongst others,” the San Francisco-based firm stated in an replace.
The financially-motivated extortionist gang was dealt an enormous blow in March 2022 when the Metropolis of London Police moved to arrest seven suspected LAPSUS$ gang members aged between 16 and 21. Weeks later, two of them had been charged for his or her actions.
The hacker behind the Uber breach, an 18-year-old teenager who goes by the moniker Tea Pot, has additionally claimed duty for breaking into online game maker Rockstar Video games over the weekend.
Uber stated it is working with “a number of main digital forensics corporations” as the corporate’s investigation into the incident continues, along with coordinating with the U.S. Federal Bureau of Investigation (FBI) and the Justice Division on the matter.
As for the way the assault unfolded, the ridesharing agency stated an “EXT contractor” had their private machine compromised with malware and their company account credentials stolen and offered on the darkish internet, corroborating an earlier report from Group-IB.
The Singapore-headquartered firm, the earlier week, famous that no less than two of Uber’s workers situated in Brazil and Indonesia had been contaminated with Raccoon and Vidar data stealers.
“The attacker then repeatedly tried to log in to the contractor’s Uber account,” the corporate stated. “Every time, the contractor obtained a two-factor login approval request, which initially blocked entry. Finally, nevertheless, the contractor accepted one, and the attacker efficiently logged in.”
Upon gaining a foothold, the miscreant is claimed to have accessed different worker accounts, thereby equipping the malicious get together with elevated permissions to “a number of inside techniques” resembling Google Workspace and Slack.
The corporate additional stated it took quite a lot of steps as a part of its incident response measures, together with disabling impacted instruments, rotating keys to the companies, locking down codebase, and likewise blocking compromised worker accounts from accessing Uber techniques or alternatively issuing a password reset for these accounts.
Uber did not disclose what number of worker accounts had been probably compromised, however it reiterated that no unauthorized code modifications had been made and that there was no proof the hacker had entry to manufacturing techniques that assist its customer-facing apps.
That stated, the alleged teen hacker is claimed to have downloaded some unspecified variety of inside Slack messages and knowledge from an in-house instrument utilized by its finance group to handle sure invoices.
Uber additionally confirmed that the attacker accessed HackerOne bug experiences, however famous that “any bug experiences the attacker was in a position to entry have been remediated.”
“There is just one answer to creating push-based [multi-factor authentication] extra resilient and that’s to coach your workers, who use push-based MFA, in regards to the frequent varieties of assaults in opposition to it, the best way to detect these assaults, and the best way to mitigate and report them in the event that they happen,” Roger Grimes, data-driven protection evangelist at KnowBe4, stated in a press release.
Chris Clements, vice chairman of options structure at Cerberus Sentinel, stated it is essential for organizations to understand that MFA shouldn’t be a “silver bullet” and that not all elements are created equal.
Whereas there was a shift from SMS-based authentication to an app-based strategy to mitigate dangers related to SIM swapping assaults, the assault in opposition to Uber and Cisco highlights that safety controls as soon as thought-about infallible are being bypassed by different means.
The truth that risk actors are banking on assault paths resembling adversary-in-the-middle (AiTM) proxy toolkits and MFA fatigue (aka immediate bombing) to trick an unsuspecting worker into inadvertently handing over MFA codes or authorizing an entry request indicators the necessity to undertake phishing-resistant strategies.
“To forestall comparable assaults, organizations ought to transfer to safer variations of MFA approval resembling quantity matching that decrease the danger of a person blindly approving an authentication verification immediate,” Clements stated.
“The fact is that if an attacker solely must compromise a single person to trigger vital harm, in the end you’re going to have vital harm,” Clements added, underscoring sturdy authentication mechanisms “needs to be one in all many in-depth defensive controls to stop compromise.”
