Uber blames hacker group LAPSUS$ for recent security breach

Uber LAPS$ Hackers

Uber on Monday revealed more details related to the security incident that occurred last week, attributing the attack to a threat actor it believes to be affiliated with the notorious hacking group LAPSUS$.

“This group typically uses similar techniques to attack technology companies, and in 2022 alone it has breached Microsoft, Cisco, Samsung, NVIDIA and Okta, among others,” the San Francisco-based company said in an update.

The financially motivated extortion ring was dealt a serious blow in March 2022 when City of London Police moved to arrest seven suspected LAPSUS$ gang members aged between 16 and 21. Weeks later, two of them were charged for their actions.

The hacker behind the Uber breach, an 18-year-old who goes by the name Tea Pot, also claimed responsibility for breaking into video game maker Rockstar Games over the weekend.

cyber security

Uber said it is working with “several leading digital forensics firms” as the company’s investigation into the incident continues, as well as coordinating with the US Federal Bureau of Investigation (FBI) and the Department of Justice on the matter.

As for how the attack unfolded, the ride-sharing company said an “EXT contractor” had his personal device compromised with malware and his corporate account credentials stolen and sold on the dark web, corroborating an earlier report. from Group-IB.

The Singapore-based company the week before said that at least two of Uber’s employees located in Brazil and Indonesia were infected with the Raccoon and Vidar data stealers.

“The attacker repeatedly tried to log into the contractor’s Uber account,” the company said. “Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.”

Upon establishing himself, the malefactor is said to have accessed the accounts of other employees, equipping the malicious party with elevated permissions to “several internal systems” such as Google Workspace and Slack.

The company further said that it took a number of measures as part of its incident response measures, including disabling affected tools, rotating service keys, blocking the code base, and also blocking the Compromised employee accounts from accessing Uber systems or, alternatively, issuing a password reset for those accounts

Uber did not disclose how many employee accounts were potentially compromised, but reiterated that no unauthorized code changes were made and there was no evidence the hacker had access to production systems that support its customer-facing applications.

That said, the alleged teen hacker is said to have downloaded an unspecified number of internal Slack messages and information from an internal tool used by his finance team to manage certain bills.

Uber also confirmed that the attacker accessed HackerOne’s bug reports, but noted that “any bug reports the attacker was able to access have been remediated.”

“There is only one solution to do push-based [multi-factor authentication] more resilient and that is training your employees, who use push-based MFA, on the common types of attacks against you, how to spot those attacks, and how to mitigate and report them if they happen,” Roger Grimes, Chief Data Officer Evangelist of defense at KnowBe4, said in a statement.

Chris Clements, vice president of solutions architecture at Cerberus Sentinel, said it’s crucial for organizations to realize that MFA is not a silver bullet and that not all factors are created equal.

cyber security

While there has been a shift from SMS-based authentication to an app-based approach to mitigating the risks associated with SIM swap attacks, the attack on Uber and Cisco highlights that security controls once considered foolproof are being circumvented by other means.

The fact that threat actors rely on attack routes like adversary-in-the-middle (AiTM) proxy toolkits and MFA fatigue (also known as rapid bombardment) to trick an unsuspecting employee into inadvertently handing out MFA codes or authorizing an access request signals the need to adopt phishing-resistant methods.

“To prevent similar attacks, organizations should move to more secure versions of MFA approval, such as number matching, that minimize the risk of a user blindly approving an authentication verification message,” Clements said.

“The reality is that if an attacker only needs to compromise a single user to cause significant damage, sooner or later they will have significant damage,” Clements added, stressing that strong authentication mechanisms “should be one of many defensive controls in depth”. to avoid compromise.

Leave a Comment