Uber Now Says It Was Pwned By Lapsus$ And Details How They Got In

Uber posted a blog post yesterday which you can read here and it provides way more detail about last week’s hack of the company. Starting with how the threat actors got in:

An Uber EXT contractor had their account compromised by an attacker. It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials. The attacker then repeatedly tried to log in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.

From there, the attacker accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack. The attacker then posted a message to a company-wide Slack channel, which many of you saw, and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites.

This is an attack vector called MFA fatigue. Where a threat actor takes advantage of MFA prompts causing fatigue among users where they will just approve any MFA prompt that hits their phone, even if they didn’t do anything to cause the prompt to come up. That’s a growing problem.

Next up is who Uber holds responsible for this. And the threat actors are Lapsus$:

We believe that this attacker (or attackers) are affiliated with a hacking group called Lapsus$, which has been increasingly active over the last year or so. This group typically uses similar techniques to target technology companies, and in 2022 alone has breached Microsoft, Cisco, Samsung, Nvidia and Okta, among others. There are also reports over the weekend that this same actor breached video game maker Rockstar Games. We are in close coordination with the FBI and US Department of Justice on this matter and will continue to support their efforts.

Lapsus$ has been busy quite clearly. And given how high profile this hack was, and how much media attention it has gotten, that will motivate more attacks as reportedly, that’s what drives this group.

Yana Blachman, Threat Intelligence Specialist at Venafi had this comment:

“With the Lapsus$ cybercrime group having been responsible for breaches at Nvidia, Microsoft and Samsung over the last year, these recent attacks on Uber and Rockstar shows that it has an appetite for Big Tech companies and should be a warning to the entire industry. Despite the group being relatively young, its list of victims is starting to read like a “who’s who” of the tech industry.

“In the past – such as the Samsung breach – its attacks have been characterized by the use of stolen code-signed certificates. These are real crown jewels for hackers, as they allow malicious files to masquerade as legitimate. If organisations do not properly secure the process and the infrastructure for managing code signing certificates, the likelihood of abuse, as well as the impact of any compromise, are both extremely high.”

I am sure even more details will appear in the coming days from Uber. Thus you can expect updates to this story. And likely new stories on Lapsus$ attacking other companies as well.

Leave a Reply

%d bloggers like this: