Uber: Lapsus$ Targeted External Contractor With MFA Bombing Attack

Uber has attributed final week’s large breach at Uber to the infamous Lapsus$ hacking group and launched further particulars on the assault. Researchers say the incident has highlighted the dangers that may come from trusting an excessive amount of in multifactor authentication (MFA), in addition to unmanaged danger round cloud-service adoption.

In an replace on Monday, Uber laid out the attribution: “We consider that this attacker (or attackers) are affiliated with a hacking group known as Lapsus$, which has been more and more lively during the last yr or so.” Uber’s announcement pointed to different firms that had been focused by the infamous gang through comparable methods, together with Cisco, Microsoft, Nvidia, Okta, and Samsung,

Lapsus$ has attracted considerable attention in current months for its brazen assaults on a number of the world’s largest and well-known firms. One well-known tactic that the group has been recognized to make use of is co-opt MFA-circumventing instruments into its assault chain.

And certainly, Uber on Monday mentioned the attacker who breached its network final week had first obtained the VPN credentials of an external contractor,
probably by buying them on the Darkish Internet. The attacker then repeatedly tried to log in to the Uber account utilizing the illegally obtained credentials, prompting a two-factor login approval request every time. 

After the contractor initially blocked these requests, the attacker contacted the goal on WhatsApp posing as tech help, telling the individual to simply accept the MFA immediate — thus permitting the attacker to log in.

“The Uber breach seems to be a results of an MFA fatigue assault, additionally known as an MFA bombing assault,” says Duncan Greenwood, CEO of Xage. “It’s a way during which hackers ship a number of authentication approval requests to a secondary gadget like a cell phone, in hopes {that a} person unintentionally gives entry, or grows so annoyed that they ultimately approve a request.” 

Remediation Course of Begins

As soon as in, the attacker breached multiple internal systems, and Uber is presently within the means of doing an influence evaluation, the corporate mentioned: “The attacker accessed a number of different worker accounts, which finally gave the attacker elevated permissions to quite a lot of instruments, together with G-Suite and Slack.”

The corporate mentioned the attacker doesn’t seem to have made any modifications to its codebase, nor does he seem to have entry to any buyer or person information saved by cloud suppliers. The attacker did seem to have downloaded some inside Slack messages and accessed or downloaded an inside device that Uber’s finance crew makes use of to handle invoices. Although the attacker additionally accessed a database of vulnerability disclosures in its platform submitted through exterior researchers via the HackerOne bug-bounty program, all of the bugs have been remediated, Uber mentioned.

Breach Exhibits MFA’s Weaknesses

Greenwood describes MFA fatigue assaults as being a really efficient tactic for breaching goal organizations. He says his firm has noticed attackers usually sending frequent MFA requests in the course of the evening or sending much less frequent requests over a number of days. 

“Both manner, in conventional MFA architectures, all it takes is only one accepted request for a hacker to entry inside methods, from which they will additional infiltrate the goal group,” he says.

Uber’s safety practices are certain to return beneath scrutiny due to the breach. However the actuality is that the corporate was the sufferer of practices which are widespread to many organizations, researchers observe.

Patrick Tiquet, vp of safety and structure at Keeper Safety, says the Uber assault highlights a elementary false impression round MFA’s power as a technique to safe entry. 

“Though MFA provides a vital second layer of safety to your accounts, the largest false impression about MFA is that each one kinds are equally safe,” he says.

One instance of how MFA can fail is SIM card porting, aka SIM-swapping, Tiquet notes. That is the place attackers port a cell quantity to a SIM card or gadget that they management to obtain SMS messages or cellphone requires the goal quantity. 

“Use of SMS textual content messages as MFA needs to be discouraged and by no means used as MFA for high-value property,” Tiquet says. “The usage of an authenticator app, safety key, or biometrics are stronger and more practical strategies to guard your accounts.” 

Safety researcher Invoice Demirkapi explains that one other quite common false impression is that normal types of MFA — reminiscent of push, contact, and cell — defend in opposition to social engineering. The fact is that MFA stays susceptible to man-in-the-middle (MitM) assaults, he says.

He notes that greatest practices embody utilizing phishing- and MiTM-resistant types of MFA reasonably than time-based one-time passwords (TOTP), not centralizing entry keys, and rotating keys recurrently. On the latter level, organizations additionally usually don’t restrict entry keys to the minimal privileges required for the important thing’s meant goal. 

“Uber might not have adopted greatest practices, however many different firms do not both,” he says. “The primary level I would wish to drive house is the significance of not solely investing into safety to your group, however particularly investing into these greatest practices as nicely.”

It needs to be famous that the Uber breach is just not the one high-profile hit in the previous couple of days; the identical Lapsus$ hacker who claimed duty in that incident (or no less than somebody utilizing the identical “Teapot” alias that the Uber hacker used) now seems to have additionally breached Take-Two Interactive’s Rockstar Games, posting movies of an early improvement copy of the Grand Theft Auto 6 online game. In a message, the corporate acknowledged the breach and mentioned it was “extraordinarily disillusioned” to have particulars of the sport leaked prematurely of its launch.

Cloud Service Adoption Will increase Danger 

MFA is just not the one weak hyperlink for a lot of firms. At the next degree, breaches just like the one at Uber present the influence that speedy cloud companies adoption and distributed work fashions are having on enterprise safety methods, says Russell Spitler, co-founder and CEO of Nudge Safety. 

The transfer to a extra distributed mannequin has elevated enterprise reliance on asynchronous communications instruments reminiscent of Slack and WhatsApp in business-critical environments, he says. The speedy adoption of SaaS has created an unmanaged danger within the type of complicated integrations between poorly managed companies.

“The current breach at Uber factors to the truth that safety orgs are outpaced by the sprawling complexity of contemporary, distributed IT environments and sprawling digital provide chains,” Spitler notes. “This complexity creates alternatives for even probably the most novice of menace actors to realize entry utilizing compromised credentials and [finding] their technique to vital property.”


Leave a Reply

Your email address will not be published.