Uber has attributed last week’s massive breach at Uber to the notorious Lapsus$ hacking group and released additional details on the attack. Researchers say the incident has highlighted the risks that can come from trusting too much in multifactor authentication (MFA), as well as unmanaged risk around cloud-service adoption.
In an update on Monday, Uber laid out the attribution: “We believe that this attacker (or attackers) are affiliated with a hacking group called Lapsus$, which has been increasingly active over the last year or so.” Uber’s announcement pointed to other companies that had been targeted by the notorious gang via similar techniques, including Cisco, Microsoft, Nvidia, Okta, and Samsung,
Lapsus$ has attracted considerable attention in recent months for its brazen attacks on some of the world’s largest and well-known companies. One well-known tactic that the group has been known to use is co-opt MFA-circumventing tools into its attack chain.
And indeed, Uber on Monday said the attacker who breached its network last week had first obtained the VPN credentials of an external contractor, likely by purchasing them on the Dark Web. The attacker then repeatedly tried to log in to the Uber account using the illegally obtained credentials, prompting a two-factor login approval request each time.
After the contractor initially blocked those requests, the attacker contacted the target on WhatsApp posing as tech support, telling the person to accept the MFA prompt — thus allowing the attacker to log in.
“The Uber breach appears to be a result of an MFA fatigue attack, also referred to as an MFA bombing attack,” says Duncan Greatwood, CEO of Xage. “It’s a technique in which hackers send multiple authentication approval requests to a secondary device like a mobile phone, in hopes that a user unintentionally provides access, or grows so frustrated that they eventually approve a request.”
Remediation Process Begins
Once in, the attacker breached multiple internal systems, and Uber is currently in the process of doing an impact analysis, the company said: “The attacker accessed several other employee accounts, which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack.”
The company said the attacker does not appear to have made any changes to its codebase, nor does he appear to have access to any customer or user data stored by cloud providers. The attacker did appear to have downloaded some internal Slack messages and accessed or downloaded an internal tool that Uber’s finance team uses to manage invoices. Though the attacker also accessed a database of vulnerability disclosures in its platform submitted via external researchers through the HackerOne bug-bounty program, all the bugs have been remediated, Uber said.
Breach Shows MFA’s Weaknesses
Greatwood describes MFA fatigue attacks as being a very effective tactic for breaching target organizations. He says his company has observed attackers typically sending frequent MFA requests in the middle of the night or sending less frequent requests over a few days.
“Either way, in traditional MFA architectures, all it takes is just one approved request for a hacker to access internal systems, from which they can further infiltrate the target organization,” he says.
Uber’s security practices are sure to come under scrutiny because of the breach. But the reality is that the company was the victim of practices that are common to many organizations, researchers note.
Patrick Tiquet, vice president of security and architecture at Keeper Security, says the Uber attack highlights a fundamental misconception around MFA’s strength as a method to secure access.
“Although MFA adds a critical second layer of security to your accounts, the biggest misconception about MFA is that all forms are equally secure,” he says.
One example of how MFA can fail is SIM card porting, aka SIM-swapping, Tiquet notes. This is where attackers port a mobile number to a SIM card or device that they control to receive SMS messages or phone calls for the target number.
“Use of SMS text messages as MFA should be discouraged and never used as MFA for high-value assets,” Tiquet says. “The use of an authenticator app, security key, or biometrics are stronger and more effective methods to protect your accounts.”
Security researcher Bill Demirkapi explains that another very common misconception is that standard forms of MFA — such as push, touch, and mobile — protect against social engineering. The reality is that MFA remains vulnerable to man-in-the-middle (MitM) attacks, he says.
He notes that best practices include using phishing- and MiTM-resistant forms of MFA rather than time-based one-time passwords (TOTP), not centralizing access keys, and rotating keys regularly. On the latter point, organizations also often do not limit access keys to the minimum privileges required for the key’s intended purpose.
“Uber may not have followed best practices, but many other companies don’t either,” he says. “The main point I’d like to drive home is the importance of not only investing into security for your organization, but specifically investing into these best practices as well.”
It should be noted that the Uber breach is not the only high-profile hit in the last few days; the same Lapsus$ hacker who claimed responsibility in that incident (or at least someone using the same “Teapot” alias that the Uber hacker used) now appears to have also breached Take-Two Interactive’s Rockstar Games, posting videos of an early development copy of the Grand Theft Auto 6 video game. In a message, the company acknowledged the breach and said it was “extremely disappointed” to have details of the game leaked in advance of its release.
Cloud Service Adoption Increases Risk
MFA is not the only weak link for many companies. At a higher level, breaches like the one at Uber show the impact that rapid cloud services adoption and distributed work models are having on enterprise security strategies, says Russell Spitler, co-founder and CEO of Nudge Security.
The move to a more distributed model has increased enterprise reliance on asynchronous communications tools such as Slack and WhatsApp in business-critical environments, he says. The rapid adoption of SaaS has created an unmanaged risk in the form of complex integrations between poorly managed services.
“The recent breach at Uber points to the fact that security orgs are outpaced by the sprawling complexity of modern, distributed IT environments and sprawling digital supply chains,” Spitler notes. “This complexity creates opportunities for even the most novice of threat actors to gain access using compromised credentials and [finding] their way to critical assets.”