Uber has attributed final week’s large breach at Uber to the infamous Lapsus$ hacking group and launched further particulars on the assault. Researchers say the incident has highlighted the dangers that may come from trusting an excessive amount of in multifactor authentication (MFA), in addition to unmanaged danger round cloud-service adoption.
In an replace on Monday, Uber laid out the attribution: “We imagine that this attacker (or attackers) are affiliated with a hacking group referred to as Lapsus$, which has been more and more energetic during the last yr or so.” Uber’s announcement pointed to different firms that had been focused by the infamous gang through related methods, together with Cisco, Microsoft, Nvidia, Okta, and Samsung,
Lapsus$ has attracted appreciable consideration in latest months for its brazen assaults on a number of the world’s largest and well-known firms. One well-known tactic that the group has been recognized to make use of is co-opt MFA-circumventing instruments into its assault chain.
And certainly, Uber on Monday mentioned the attacker who breached its community final week had first obtained the VPN credentials of an exterior contractor,
probably by buying them on the Darkish Internet. The attacker then repeatedly tried to log in to the Uber account utilizing the illegally obtained credentials, prompting a two-factor login approval request every time.
After the contractor initially blocked these requests, the attacker contacted the goal on WhatsApp posing as tech help, telling the individual to simply accept the MFA immediate — thus permitting the attacker to log in.
“The Uber breach seems to be a results of an MFA fatigue assault, additionally known as an MFA bombing assault,” says Duncan Greenwood, CEO of Xage. “It’s a method through which hackers ship a number of authentication approval requests to a secondary gadget like a cell phone, in hopes {that a} consumer unintentionally gives entry, or grows so annoyed that they ultimately approve a request.”
Remediation Course of Begins
As soon as in, the attacker breached a number of inside techniques, and Uber is at the moment within the technique of doing an influence evaluation, the corporate mentioned: “The attacker accessed a number of different worker accounts, which finally gave the attacker elevated permissions to plenty of instruments, together with G-Suite and Slack.”
The corporate mentioned the attacker doesn’t seem to have made any modifications to its codebase, nor does he seem to have entry to any buyer or consumer information saved by cloud suppliers. The attacker did seem to have downloaded some inside Slack messages and accessed or downloaded an inside instrument that Uber’s finance group makes use of to handle invoices. Although the attacker additionally accessed a database of vulnerability disclosures in its platform submitted through exterior researchers via the HackerOne bug-bounty program, all of the bugs have been remediated, Uber mentioned.
Breach Exhibits MFA’s Weaknesses
Greenwood describes MFA fatigue assaults as being a really efficient tactic for breaching goal organizations. He says his firm has noticed attackers usually sending frequent MFA requests in the course of the evening or sending much less frequent requests over just a few days.
“Both method, in conventional MFA architectures, all it takes is only one authorized request for a hacker to entry inside techniques, from which they will additional infiltrate the goal group,” he says.
Uber’s safety practices are positive to return underneath scrutiny due to the breach. However the actuality is that the corporate was the sufferer of practices which might be widespread to many organizations, researchers notice.
Patrick Tiquet, vice chairman of safety and structure at Keeper Safety, says the Uber assault highlights a elementary false impression round MFA’s energy as a technique to safe entry.
“Though MFA provides a crucial second layer of safety to your accounts, the most important false impression about MFA is that every one varieties are equally safe,” he says.
One instance of how MFA can fail is SIM card porting, aka SIM-swapping, Tiquet notes. That is the place attackers port a cellular quantity to a SIM card or gadget that they management to obtain SMS messages or cellphone requires the goal quantity.
“Use of SMS textual content messages as MFA ought to be discouraged and by no means used as MFA for high-value property,” Tiquet says. “The usage of an authenticator app, safety key, or biometrics are stronger and more practical strategies to guard your accounts.”
Safety researcher Invoice Demirkapi explains that one other quite common false impression is that normal types of MFA — comparable to push, contact, and cellular — defend towards social engineering. The fact is that MFA stays susceptible to man-in-the-middle (MitM) assaults, he says.
He notes that greatest practices embrace utilizing phishing- and MiTM-resistant types of MFA slightly than time-based one-time passwords (TOTP), not centralizing entry keys, and rotating keys frequently. On the latter level, organizations additionally usually don’t restrict entry keys to the minimal privileges required for the important thing’s supposed goal.
“Uber might not have adopted greatest practices, however many different firms do not both,” he says. “The primary level I would prefer to drive house is the significance of not solely investing into safety to your group, however particularly investing into these greatest practices as properly.”
It ought to be famous that the Uber breach shouldn’t be the one high-profile hit in the previous few days; the identical Lapsus$ hacker who claimed accountability in that incident (or at the very least somebody utilizing the identical “Teapot” alias that the Uber hacker used) now seems to have additionally breached Take-Two Interactive’s Rockstar Video games, posting movies of an early improvement copy of the Grand Theft Auto 6 online game. In a message, the corporate acknowledged the breach and mentioned it was “extraordinarily dissatisfied” to have particulars of the sport leaked prematurely of its launch.
Cloud Service Adoption Will increase Threat
MFA shouldn’t be the one weak hyperlink for a lot of firms. At the next degree, breaches just like the one at Uber present the influence that fast cloud companies adoption and distributed work fashions are having on enterprise safety methods, says Russell Spitler, co-founder and CEO of Nudge Safety.
The transfer to a extra distributed mannequin has elevated enterprise reliance on asynchronous communications instruments comparable to Slack and WhatsApp in business-critical environments, he says. The fast adoption of SaaS has created an unmanaged danger within the type of complicated integrations between poorly managed companies.
“The latest breach at Uber factors to the truth that safety orgs are outpaced by the sprawling complexity of contemporary, distributed IT environments and sprawling digital provide chains,” Spitler notes. “This complexity creates alternatives for even essentially the most novice of menace actors to realize entry utilizing compromised credentials and [finding] their solution to crucial property.”
