Uber revealed new details about the security problem that occurred last week on Monday, putting the attack on a threat actor it believes is linked with the notorious LAPSUS$ hacker gang.
“This organization often employs similar approaches to target technological businesses and has compromised Microsoft, Cisco, Samsung, NVIDIA, and Okta, among others, in 2022 alone,” the San Francisco-based company stated in an update.
The financially driven extortionist gang was struck a major blow in March 2022 when the City of London Police arrested seven people aged 16 to 21 for apparent ties to the group. Two of the minor offenders are charged with fraud.
The hacker responsible for the Uber breach, an 18-year-old adolescent known as Tea Pot, has also claimed responsibility for breaking into video game publisher Rockstar Games over the weekend.
🚘 Uber is back in the news. Acronis' Kevin Reed commented that after the attacker bypassed the 2FA with push bombing, it was likely they could "access whatever data Uber had."
— Acronis (@Acronis) September 19, 2022
As the company’s investigation into the issue continues, Uber said it is engaging with “many prominent digital forensics organizations,” in addition to consulting with the US Federal Bureau of Investigation (FBI) and the Justice Department.
In terms of how the attack occurred, the ridesharing company stated that an “EXT contractor” had their personal device compromised with malware and their corporate account credentials stolen and sold on the dark web, correlating with an earlier Group-IB revelation.
The previous week, the Singapore-based business reported that at least two of Uber’s employees in Brazil and Indonesia had been infected with Raccoon and Vidar information thieves.
“The attacker then attempted to log in to the contractor’s Uber account many times,” the firm stated. “The contractor received a two-factor login permission request each time, which originally restricted access. However, the contractor eventually accepted one, and the attacker successfully logged in.”
After getting access, the miscreant is believed to have accessed other employee accounts, giving the malicious party access to “many internal services” such as Google Workspace and Slack.
The business also stated that as part of its incident response efforts, it disabled impacted tools, rotated keys to the services, locked down the codebase, and blocked compromised employee accounts from accessing Uber systems or issued password resets for those accounts.
Uber did not say how many staff accounts were possibly accessed, but it emphasized that no unauthorized code modifications were done and that there was no evidence the hacker had access to production systems that underpin its customer-facing apps.
However, the suspected juvenile hacker is reported to have obtained an undefined amount of internal Slack communications and data from an in-house program used by the finance team to monitor specific invoices.
Uber also stated that the attacker had access to HackerOne bug reports, but added that “any bug reports the attacker was able to read have been remediated.”
“There is only one solution to making push-based [multi-factor authentication] more resilient, and that is to train your employees who use it about the common types of attacks against it, how to detect those attacks, and how to mitigate and report them if they occur,” said Roger Grimes, data-driven defense evangelist at KnowBe4.
According to Chris Clements, vice president of solutions architecture at Cerberus Sentinel, enterprises must recognize that MFA is not a “silver bullet” and that not all criteria are created equal.
"The Slack post also listed a number of Uber databases and cloud services that the hacker claimed to have breached. The message reportedly concluded with the sign-off, “uberunderpaisdrives.”" https://t.co/bu7KldJqG1 via @lilyhnewman
— Lauren Goode (@LaurenGoode) September 19, 2022
While there has been a move from SMS-based authentication to an app-based strategy to lessen the risks associated with SIM swapping attacks, the hacking of Uber and Cisco shows that security safeguards that were once thought to be infallible are being circumvented by different means.
The fact that threat actors are relying on attack paths like adversary-in-the-middle (ASTM) proxy toolkits and MFA fatigue (aka prompt bombing) to trick an unsuspecting user into inadvertently handing over a One-Time Passcode (OTP) or authorizing an access request underscores the need for phishing-resistant methods.
“To prevent such attacks,” Clements said, “organizations should transition to more secure versions of MFA approval, such as number matching, which reduces the danger of a user mindlessly granting an authentication verification prompt.”
“The reality is that if an attacker only needs to compromise a single user to cause significant damage, you’re going to have significant damage sooner or later,” Clements added, emphasizing that strong authentication mechanisms “should be one of many in-depth defensive controls to prevent compromise.”