On Monday, Uber revealed more details regarding the security incident that occurred last week, commenting the attack on a threat actor it believes is linked to the popular hacking group LAPSUS$.
“This group typically uses similar technologies to target tech companies, and in 2022 alone Microsoft, Cisco, Samsung, NVIDIA, and Okta, among others,” the San Francisco-based company said in an update.
The financially motivated racketeering gang took a big hit in March 2022 when City of London Police moved to arrest seven suspected LAPSUS$ members aged between 16 and 21, weeks later, two of them charged with their actions.
The hacker behind the Uber hack, an 18-year-old with the nickname Tea Pot, also claimed responsibility for the break-in of video game maker Rockstar Games over the weekend.
Uber said it is working with “several leading digital forensics companies” as the company’s investigation into the incident continues, as well as coordinating with the US Federal Bureau of Investigation (FBI) and the Department of Justice on the matter.
As for how the attack happened, the passenger carrier said an “outside contractor” device was hacked with malware and his company account credentials and sold on the dark web, confirming an earlier report from Group-IB.
The Singapore-based company indicated, last week, that at least two Uber employees located in Brazil and Indonesia were infected with the theft of Raccoon and Vidar information.
“The attacker repeatedly tried to log into the contractor’s Uber account,” the company said. “Each time, the contractor received a request to approve the two-factor login, which initially blocked access. However, in the end, the contractor agreed, and the attacker successfully logged in.”
Upon gaining a foothold, the criminal is said to have gained access to the accounts of other employees, thus providing the malicious party with elevated permissions to “multiple internal systems” such as Google Workspace and Slack.
The company also said it had taken a number of steps as part of its incident response measures, including disabling affected tools, rotating keys for services, shutting down the database, as well as blocking compromised employee accounts from accessing Uber’s systems or issuing a password reset instead. those accounts.
Uber did not disclose the number of employee accounts likely to be compromised, but did confirm that no unauthorized changes were made to the code and that there was no evidence that the hacker had access to production systems that support its customer-facing apps.
However, the alleged teen hacker is said to have downloaded an unspecified number of internal Slack messages and information from an internal tool used by its financial team to manage certain bills.
Uber also confirmed that the attacker had access to HackerOne’s error reports, but noted that “any error reports that the attacker gained access to have been fixed.”
“There is only one solution to work on the basis of payment [multi-factor authentication] More flexible and that is training your employees, who use the multifamilial pay-based approach, on the common types of attacks against it, how to detect those attacks, and how to mitigate and report them if they occur,” Roger Grimes, data-driven defense evangelist at KnowBe4, said in statement.
It’s critical for organizations to realize that MFA is not a “panacea” and that not all factors are created equal, said Chris Clements, Vice President of Solutions Engineering at Cerberus Sentinel.
While there has been a shift from SMS-based authentication to an application-based approach to mitigate the risks associated with SIM swap attacks, the attack on Uber and Cisco highlights that security controls that were once considered infallible are being bypassed by other means.
The fact that threatened actors rely on attack paths such as Adversarial Agent in the Middle (AiTM) toolkits and MFA fatigue (also known as spot bombing) to trick an unsuspecting employee into inadvertently handing over MFA tokens or authorizing an access request indicates a need to adopt anti-phishing tactics. .
“To prevent similar attacks, organizations should move to more secure versions of State Department approval such as number matching that reduces the risk of a user blindly agreeing to an authentication verification prompt,” Clements said.
“The reality is that if an attacker only needs to hack a single user to cause significant harm, sooner or later you will suffer significant harm,” Clements added, stressing strong authentication mechanisms “must be one of the many in-depth defensive controls to prevent compromise.”
#Uber #blames #LAPSUS #Hacking #Group #security #breach