Uber provided additional information on the security problem that occurred last week on Monday. Uber attributed the attack to a threat actor it thinks to be connected to the infamous LAPSUS$ hacker ring.

The San Francisco-based company stated in an update that “this organization often utilizes similar approaches to target technology companies. In 2022 alone has compromised Microsoft, Cisco, Samsung, NVIDIA, and Okta, among others.”

When the City of London Police made the decision to detain seven people between the ages of 16 and 21 for their claimed ties to the group. The financially motivated extortionist gang was dealt a devastating blow in March 2022. Two of those young people are accused of fraud.

A hack into Rockstar Games over the weekend has also been attributed to the 18-year-old hacker. He is known as Tea Pot, who is also responsible for the Uber attack.

In addition to consulting with the U.S. Federal Bureau of Investigation (FBI) and the Justice Department on the subject, Uber said it is working with “many prominent digital forensics firms” as the company’s investigation into the event moves forward.

The ride-sharing company confirmed a previous revelation from Group-IB when it said that an “EXT contractor”. The EXT Contractor had their personal device infected with malware, their corporate account credentials stolen, and then sold on the black web.

The Scenario

The Singapore-based business reported last week that at least two of Uber’s staff members working in Brazil and Indonesia had Raccoon and Vidar information-stealing malware infections.

The attacker subsequently made numerous attempts to access the contractor’s Uber account, according to the business. “Each time, the contractor got a request for two-factor login approval, which at first prevented access. But eventually, the contractor gave in, and the attacker was able to log in”.

After establishing a footing, the thief allegedly gained access to the accounts of other workers. Giving the malevolent individual elevated access to “many internal services” like Google Workspace and Slack.

The business added that as part of its incident response procedures, it disabled the affected tools, rotated the keys to the services, and locked down the codebase. And blocked compromised employee accounts from logging into Uber systems or, in some cases, reset the passwords for those accounts.

The Issues

However, Uber emphasized that no unauthorized code changes had been made and that there was no proof the hacker had access to the production systems that underpin its customer-facing apps. Uber did not specify how many staff accounts may have been hijacked.

Despite this, it is claimed that the alleged juvenile hacker stole an unknown quantity of internal Slack communications and data from a private application used by the company’s finance division to monitor specific invoices.

Additionally, Uber acknowledged that the hacker had obtained HackerOne bug reports. But added that “any bug reports the attacker was able to access have been remediated”.

According to Roger Grimes, data-driven defense evangelist at KnowBe4, “there is only one solution to making push-based [multi-factor authentication] more resilient. And that is to train your employees who use push-based MFA about the common types of attacks. Against it, how to detect those attacks, and how to mitigate and report them if they occur”.

The vice president of solutions architecture at Cerberus Sentinel, Chris Clements, emphasized the need for companies. To realize that MFA is not a “magic solution” and that not all elements are equivalent.

In order to reduce the dangers associated with SIM swapping attacks, SMS-based authentication has given way to app-based authentication. However, the hacking of Cisco and Uber shows that security measures that were once thought to be impenetrable are now being circumvented by different means.

The use of adversary-in-the-middle (AiTM) proxy toolkits and MFA fatigue (also known as prompt bombing) as attack routes. The threat actors to deceive unwary users into unintentionally providing One-Time Passcodes (OTP) or approving access requests highlight the necessity for phishing-resistant strategies.

Mitigation

Organizations should switch to more secure MFA approval methods, such as number matching. This reduces the possibility that a user will approve an authentication verification prompt without thinking, according to Clements, in order to stop similar assaults.

Strong authentication mechanisms “should be one of many in-depth defensive controls to prevent compromise,” Clements emphasized. Added that “the reality is that if an attacker only needs to compromise a single user to cause significant damage. Sooner or later you are going to have significant damage”.

Reference