Uber on Monday revealed more details related to the security incident that occurred last week, pinning the attack on a threat actor it believes is affiliated with the notorious LAPSUS$ hacking group.
“This group typically uses similar techniques to target technology companies, and in 2022 alone breached Microsoft, Cisco, Samsung, NVIDIA and Okta, among others,” the San Francisco-based company said in an update.
The financially motivated extortion gang was dealt a major blow in March 2022 when the City of London Police moved to arrest seven people aged between 16 and 21 for their alleged links to the group. Two of the juvenile defendants have been charged with fraud.
The hacker behind the Uber breach, an 18-year-old teenager who goes by the name Tea Pot, has also claimed responsibility for breaking into video game maker Rockstar Games over the weekend.
Uber said it is working with “several leading digital investigative firms” as the company’s investigation into the incident continues, as well as coordinating the case with the US Federal Bureau of Investigation (FBI) and the Department of Justice.
As for how the attack unfolded, the ride-sharing firm said an “EXT contractor” had their personal device compromised with malware and their business account credentials stolen and sold on the dark web, confirming an earlier report by Group-IB.
The Singapore-headquartered company last week noted that at least two of Uber’s employees located in Brazil and Indonesia were infected with the Raccoon and Vidar information stealers.
“The attacker then repeatedly attempted to log into the contractor’s Uber account,” the company said. “Each time, the contractor received a two-factor login authorization request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker logged in.”
After gaining a foothold, the crook is said to have gained access to other employees’ accounts, equipping the malicious party with elevated permissions to “multiple internal systems” such as Google Workspace and Slack.
The company further said it took a number of steps as part of its incident response measures, including disabling affected tools, rotating keys to the services, locking down the code base and also blocking compromised employee accounts from accessing Uber systems or alternatively issuing a resetting passwords for these accounts.
Uber did not disclose how many employee accounts were potentially compromised, but it reiterated that no unauthorized code changes were made and that there was no evidence that the hacker had access to production systems that support the customer-facing apps.
That said, the alleged teenage hacker is said to have downloaded an unspecified number of internal Slack messages and information from an internal tool used by the finance team to manage certain invoices.
Uber also confirmed that the attacker accessed HackerOne bug reports, but noted that “every bug report the attacker accessed has been patched.”
“There is only one solution to make push-based [multi-factor authentication] more resilient, and that’s training your employees, who use push-based MFA, on the common types of attacks against it, how to spot those attacks, and how to mitigate and report them if they occur,” Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, said in a statement.
Chris Clements, vice president of solution architecture at Cerberus Sentinel, said it’s critical for organizations to realize that MFA is not a “silver bullet” and that not all factors are created equal.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize your risk.
RESERVE YOUR SEAT
While there has been a shift from SMS-based authentication to an app-based approach to reduce risks associated with SIM-swapping attacks, the hacking of Uber and Cisco highlights that security controls once considered foolproof are being circumvented in other ways.
The fact that threat actors are banking on avenues of attack such as adversary-in-the-middle (AiTM) proxy toolkits and MFA fatigue (aka prompt bombing) to trick an unsuspecting user into inadvertently handing over One-Time Passcode (OTP) or authorizing an access request signals the need to adopt phishing-resistant methods.
“To prevent similar attacks, organizations should move to more secure versions of MFA authentication such as number matching that minimize the risk of a user blindly approving an authentication verification,” Clements said.
“The reality is that if an attacker only needs to compromise a single user to cause significant damage, sooner or later you’re going to suffer significant damage,” Clements added, stressing strong authentication mechanisms “should be one of many defensive controls in depth to prevent compromise.”
