Uber on Monday disclosed much more specifics similar to the security incident that occurred past 7 days, pinning the attack on a threat actor it believes is affiliated to the notorious LAPSUS$ hacking team.
“This group usually works by using comparable procedures to goal technology firms, and in 2022 by itself has breached Microsoft, Cisco, Samsung, NVIDIA, and Okta, among the other people,” the San Francisco-based mostly enterprise said in an update.
The economically-determined extortionist gang was dealt a enormous blow in March 2022 when the City of London Police moved to arrest 7 suspected LAPSUS$ gang members aged concerning 16 and 21. Weeks afterwards, two of them have been billed for their steps.
The hacker behind the Uber breach, an 18-calendar year-previous teen who goes by the moniker Tea Pot, has also claimed responsibility for breaking into online video game maker Rockstar Video games around the weekend.
Uber mentioned it is really operating with “a number of leading electronic forensics companies” as the firm’s investigation into the incident carries on, in addition to coordinating with the U.S. Federal Bureau of Investigation (FBI) and the Justice Division on the issue.
As for how the attack unfolded, the ridesharing firm claimed an “EXT contractor” had their individual gadget compromised with malware and their corporate account qualifications stolen and marketed on the dark web, corroborating an previously report from Group-IB.
The Singapore-headquartered organization, the former 7 days, observed that at minimum two of Uber’s staff positioned in Brazil and Indonesia were contaminated with Raccoon and Vidar facts stealers.
“The attacker then consistently tried using to log in to the contractor’s Uber account,” the corporation mentioned. “Every time, the contractor received a two-factor login acceptance request, which to begin with blocked access. Inevitably, on the other hand, the contractor acknowledged a single, and the attacker properly logged in.”
Upon gaining a foothold, the miscreant is said to have accessed other staff accounts, therefore equipping the malicious party with elevated permissions to “a number of inner techniques” these kinds of as Google Workspace and Slack.
The organization further explained it took a number of actions as part of its incident reaction steps, such as disabling impacted instruments, rotating keys to the services, locking down codebase, and also blocking compromised staff accounts from accessing Uber methods or alternatively issuing a password reset for individuals accounts.
Uber failed to disclose how a lot of worker accounts had been potentially compromised, but it reiterated that no unauthorized code improvements were being manufactured and that there was no evidence the hacker had obtain to production units that assist its client-facing apps.
That explained, the alleged teenager hacker is stated to have downloaded some unspecified quantity of internal Slack messages and info from an in-house instrument applied by its finance workforce to manage particular invoices.
Uber also confirmed that the attacker accessed HackerOne bug studies, but observed that “any bug stories the attacker was ready to entry have been remediated.”
“There is only a person alternative to making force-centered [multi-factor authentication] more resilient and that is to practice your staff members, who use thrust-centered MFA, about the common styles of attacks versus it, how to detect individuals attacks, and how to mitigate and report them if they occur,” Roger Grimes, facts-pushed protection evangelist at KnowBe4, stated in a assertion.
Chris Clements, vice president of solutions architecture at Cerberus Sentinel, stated it can be vital for corporations to comprehend that MFA is not a “silver bullet” and that not all factors are designed equivalent.
Though there has been a shift from SMS-based mostly authentication to an app-based solution to mitigate risks related with SIM swapping attacks, the attack towards Uber and Cisco highlights that security controls the moment thought of infallible are staying bypassed by other implies.
The fact that danger actors are banking on attack paths these as adversary-in-the-middle (AiTM) proxy toolkits and MFA tiredness (aka prompt bombing) to trick an unsuspecting staff into inadvertently handing about MFA codes or authorizing an entry request indicators the want to undertake phishing-resistant approaches.
“To stop similar attacks, corporations should really transfer to much more secure variations of MFA approval these kinds of as quantity matching that lessen the risk of a user blindly approving an authentication verification prompt,” Clements stated.
“The actuality is that if an attacker only wants to compromise a single user to bring about considerable problems, quicker or later on you are likely to have considerable injury,” Clements added, underscoring solid authentication mechanisms “really should be one of quite a few in-depth defensive controls to prevent compromise.”
Uncovered this post fascinating? Follow THN on Facebook, Twitter and LinkedIn to read through additional distinctive written content we submit.
Some pieces of this post are sourced from: