Uber on Monday disclosed extra particulars associated to the safety incident that occurred final week, pinning the assault on a menace actor it believes is affiliated to the infamous LAPSUS$ hacking group.
“This group usually makes use of comparable strategies to focus on know-how corporations, and in 2022 alone has breached Microsoft, Cisco, Samsung, NVIDIA, and Okta, amongst others,” the San Francisco-based firm mentioned in an replace.
The financially-motivated extortionist gang was dealt an enormous blow in March 2022 when the Metropolis of London Police moved to arrest seven suspected LAPSUS$ gang members aged between 16 and 21. Weeks later, two of them had been charged for his or her actions.
The hacker behind the Uber breach, an 18-year-old teenager who goes by the moniker Tea Pot, has additionally claimed accountability for breaking into online game maker Rockstar Video games over the weekend.
Uber mentioned it is working with “a number of main digital forensics companies” as the corporate’s investigation into the incident continues, along with coordinating with the U.S. Federal Bureau of Investigation (FBI) and the Justice Division on the matter.
As for a way the assault unfolded, the ridesharing agency mentioned an “EXT contractor” had their private machine compromised with malware and their company account credentials stolen and bought on the darkish internet, corroborating an earlier report from Group-IB.
The Singapore-headquartered firm, the earlier week, famous that no less than two of Uber’s staff situated in Brazil and Indonesia had been contaminated with Raccoon and Vidar info stealers.
“The attacker then repeatedly tried to log in to the contractor’s Uber account,” the corporate mentioned. “Every time, the contractor obtained a two-factor login approval request, which initially blocked entry. Ultimately, nonetheless, the contractor accepted one, and the attacker efficiently logged in.”
Upon gaining a foothold, the miscreant is alleged to have accessed different worker accounts, thereby equipping the malicious social gathering with elevated permissions to “a number of inside programs” corresponding to Google Workspace and Slack.
The corporate additional mentioned it took various steps as a part of its incident response measures, together with disabling impacted instruments, rotating keys to the companies, locking down codebase, and likewise blocking compromised worker accounts from accessing Uber programs or alternatively issuing a password reset for these accounts.
Uber did not disclose what number of worker accounts had been probably compromised, however it reiterated that no unauthorized code modifications had been made and that there was no proof the hacker had entry to manufacturing programs that help its customer-facing apps.
That mentioned, the alleged teen hacker is alleged to have downloaded some unspecified variety of inside Slack messages and data from an in-house software utilized by its finance workforce to handle sure invoices.
Uber additionally confirmed that the attacker accessed HackerOne bug studies, however famous that “any bug studies the attacker was capable of entry have been remediated.”
“There is just one answer to creating push-based [multi-factor authentication] extra resilient and that’s to coach your staff, who use push-based MFA, in regards to the widespread kinds of assaults towards it, how one can detect these assaults, and how one can mitigate and report them in the event that they happen,” Roger Grimes, data-driven protection evangelist at KnowBe4, mentioned in a press release.
Chris Clements, vice chairman of options structure at Cerberus Sentinel, mentioned it is essential for organizations to comprehend that MFA shouldn’t be a “silver bullet” and that not all components are created equal.
Whereas there was a shift from SMS-based authentication to an app-based method to mitigate dangers related to SIM swapping assaults, the assault towards Uber and Cisco highlights that safety controls as soon as thought of infallible are being bypassed by different means.
The truth that menace actors are banking on assault paths corresponding to adversary-in-the-middle (AiTM) proxy toolkits and MFA fatigue (aka immediate bombing) to trick an unsuspecting worker into inadvertently handing over MFA codes or authorizing an entry request alerts the necessity to undertake phishing-resistant strategies.
“To forestall comparable assaults, organizations ought to transfer to safer variations of MFA approval corresponding to quantity matching that reduce the chance of a person blindly approving an authentication verification immediate,” Clements mentioned.
“The fact is that if an attacker solely must compromise a single person to trigger important injury, in the end you’re going to have important injury,” Clements added, underscoring sturdy authentication mechanisms “ought to be one in every of many in-depth defensive controls to stop compromise.”