Tentative attribution in the Uber breach.
N2K logoSep 20, 2022

Lapsus$ may have been behind the Uber breach.

Tentative attribution in the Uber breach.

Lapsus$ dunnit.

In Monday's forenoon Uber published an update on the breach it discovered last week. They've developed an idea of who was responsible: Lapsus$.

"We believe that this attacker (or attackers) are affiliated with a hacking group called Lapsus$, which has been increasingly active over the last year or so. This group typically uses similar techniques to target technology companies, and in 2022 alone has breached Microsoft, Cisco, Samsung, Nvidia and Okta, among others. There are also reports over the weekend that this same actor breached video game maker Rockstar Games. We are in close coordination with the FBI and US Department of Justice on this matter and will continue to support their efforts."

The Lapsus$ group isn't particularly venerable, but it's gained a great deal of notoriety in its relatively short life. Bloomberg reported back in March that the leading intellects behind the Lapsus$ Gang may be a couple of teenagers, one in the UK, the other in Brazil. The BBC reported on the 24th of March that police in the UK had arrested seven teenagers in relation to Lapsus$. The City of London Police said, "Seven people between the ages of 16 and 21 have been arrested in connection with an investigation into a hacking group. They have all been released under investigation. Our inquiries remain ongoing." Tender as their years may have been, their activities were damaging and disruptive. Lapsus$ was in it for the lulz and the lucre, for the cash and cachet. The gang may have endured more as a brand followed by simpatico influencers and influencees who swapped code and imitated one another than as a tightly organized crew.

Initial credentials seem to have been purchased in the C2C market.

Uber thinks the breach was accomplished roughly as follows, and it fills in one of the initial attack vectors, a password bought in a criminal-to-criminal souk:

"An Uber EXT contractor had their account compromised by an attacker. It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials. The attacker then repeatedly tried to log in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.

"From there, the attacker accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack. The attacker then posted a message to a company-wide Slack channel, which many of you saw, and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites."

Uber continues to investigate the effects of the breach.

The company is still working to determine whether there was any material impact from the incident. Their updated report today offered a moderately optimistic interim conclusion:

"First and foremost, we’ve not seen that the attacker accessed the production (i.e. public-facing) systems that power our apps; any user accounts; or the databases we use to store sensitive user information, like credit card numbers, user bank account info, or trip history. We also encrypt credit card information and personal health data, offering a further layer of protection.

"We reviewed our codebase and have not found that the attacker made any changes. We also have not found that the attacker accessed any customer or user data stored by our cloud providers (e.g. AWS S3). It does appear that the attacker downloaded some internal Slack messages, as well as accessed or downloaded information from an internal tool our finance team uses to manage some invoices. We are currently analyzing those downloads.

"The attacker was able to access our dashboard at HackerOne, where security researchers report bugs and vulnerabilities. However, any bug reports the attacker was able to access have been remediated.

"Throughout, we were able to keep all of our public-facing Uber, Uber Eats, and Uber Freight services operational and running smoothly. Because we took down some internal tools, customer support operations were minimally impacted and are now back to normal."

And, of course, the company is working with the FBI and the US Department of Justice.

Industry experts weigh in on what's known so far about the Uber breach.

We heard from Cerberus Sentinel and KnowBe4 on this latest development. Chris Clements, vice president of solutions architecture at Cerberus Sentinel wrote that Uber's experience is an object lesson in why multifactor authentication, while valuable sound practice, isn't a security panacea:

“The move by many organizations to require MFA has provided meaningful improvement in cybersecurity everywhere, but it’s important to realize both that MFA is not a silver bullet nor are all forms created equal. SMS based MFA was the first widely adopted approach as it had a low barrier to entry and was easy for users to understand but exposed the weakness of many carriers to SIM swapping attacks that allowed attackers to simply redirect the additional authentication codes to themselves thus defeating the secondary layer of security. Upon realizing this, the consensus was moving to app-based approaches with many organizations adopting simple “tap to authorize” notifications for user convenience. Unfortunately, not all users were trained on when to expect the notifications and inadvertently authorized illegitimate access verifications or were sent a barrage of notifications and accidentally approved one instead of dismissing the prompt as reportedly was the cause of Uber’s recent breach. To prevent similar attacks, organizations should move to more secure versions of MFA approval such as number matching that minimize the risk of a user blindly approving an authentication verification prompt. Still, this is not a complete solution for preventing attackers from defeating MFA protections. Many cybercriminals now route their victims through transparent proxies capable of intercepting communications that would otherwise be encrypted and capture either the correct MFA code or simply copying the session key created by the successful authentication. Strong authentication controls are critical for mitigating attacks that give cybercriminals initial access to an organization but should be one of many in-depth defensive controls to prevent compromise. The reality is that if an attacker only needs to compromise a single user to cause significant damage, sooner or later you are going to have significant damage.”

Roger Grimes, data-driven defense evangelist at KnowBe4 emphasized that resilience ultimately depends, at some level, on training. "There is only one solution to making push-based MFA more resilient and that is to train your employees, who use push-based MFA, about the common types of attacks against it, how to detect those attacks, and how to mitigate and report them if they occur. If you're going to rely on push-based MFA...and really any easily phished MFA to protect your organization, you need to aggressively educate employees. Expecting them to handle every security situation appropriately without the appropriate education is wishing and hoping; and wishing and hoping do not stop malicious hackers."