The 2022 Uber Breach: Social Engineering and the Lapsus$ Gang
A cyber-attack on ride-hailing company Uber made global media headlines in September 2022 when a threat actor infiltrated the company’s internal systems. Social engineering techniques featured prominently in the incident, which was purportedly carried out by a threat actor affiliated with the Lapsus$ extortion gang. This article overviews Lapsus$ and analyzes the important cybersecurity details from the Uber breach.
Who Is Lapsus$?
Lapsus$ is a gang that first appeared on the radar of cyber security researchers in mid-2021. A spate of attacks has seen Lapsus$ threat actors hit several multi-billion-dollar companies, including Uber, Nvidia, T-Mobile, and Samsung. Speculation is also rife that a September 2022 compromise of video game company Rockstar was also down to the activity of Lapsus$ members.
Operationally, the business model of Lapsus$ appears to differ somewhat from established and professional gangs, many of whom rely on ransomware. Lapsus$ is a data extortion gang that opportunistically steals data from organizations and then profits from the threat of disclosing this stolen information. Ransomware installation to encrypt systems or files does not feature in these attacks.
Profit and notoriety are the most evident motivations of Lapsus$ actors. Instead of operating a dark leak site, Lapsus$ operates via messaging app Telegram. The gang’s Telegram channel has almost 60,000 subscribers at the time of writing.
The gang deploys a diverse range of relatively primitive tactics and often impulsive actions in its attacks. Some common threads running through the majority of Lapsus$ attacks include:
- Attempting to get initial access to corporate systems via a legitimate user’s credentials. Methods to obtain credentials include purchasing them from dark web marketplaces, accessing freely available credentials from data dumps, or using spear phishing to dupe specific individuals into disclosing their passwords.
- When multifactor authentication is in place, Lapsus$ members have tried breaching this line of defense through brute force or further social engineering techniques
- Privilege elevation comes from exploiting lax security practices, such as unpatched vulnerabilities or network shares containing privileged credentials.
It appears that the gang is not composed of hardened cybercriminals with decades of experience. British police arrested a group of seven teenagers in March 2022, all of whom were thought to be Lapsus$ members. A 16-year-old based in Oxford, who had apparently amassed a fortune of $14 million, was one of the gang’s leaders.
The initial focus of Lapsus$ on attacking Brazilian organizations led some security researchers to speculate that the gang was initially formed in Brazil. The Brazilian Ministry of Health and the country’s state-owned postal service were among the earliest Lapsus$ victims. The gang then moved on to target companies in the global technology sector, in pursuit of increased recognition and financial gain.
What Happened in the Uber Breach?
On September 15, 2022, the New York Times reported that Uber’s computer systems had been breached; several media publications followed suit in reporting the incident. News of the breach emerged when the threat actor apparently published messages on the company’s own internal Slack channel. An update posted four days later on Uber’s website provided more details about the attack.
According to the Uber Team, a contractor’s account was compromised, likely with the use of stolen credentials purchased on the dark web. A New York Times report sourcing direct communications with the threat actor contradicted this by claiming that smishing text messages had duped the contractor into revealing their VPN account password. The smishing scam apparently involved the hacker masquerading as Uber’s IT support team and getting the contractor to disclose his/her password.
The attack appears to have been instigated by a lone wolf actor. Uber’s update asserted that the hacker was involved with or was an affiliate of the Lapsus$ gang. In a further example of the immature actions of Lapsus$ actors, an internal website had its URL altered so that any employee visiting it would see an explicit image.
While the account in question was protected by two-factor authentication (via smartphone push notifications requiring login approval), repeated login attempts by the hacker eventually resulted in full account access. This access was granted when the contractor approved one of the many login requests.
With initial access obtained, the attacker managed to elevate privileges by accessing admin credentials. These credentials were found in PowerShell scripts shared locally on the company’s internal network shares. The eventual outcome was a compromise of Uber’s G-Suite, Slack, and other tools used to manage the company’s invoices. Uber denies any breach of its public-facing systems, user accounts, or sensitive user data.
Security Lessons from the Uber Breach
From a cybersecurity perspective, there is a lot to unpack from the Uber breach. The most startling lesson from this, and other similar Lapsus$ attacks, is how basic security mistakes often allow even less technically adept hackers to succeed in their aims.
Initial access to user credentials either came from buying them on the dark web or using smishing messages. In the former case, dark web footprint monitoring could’ve potentially identified the stolen credentials, although it’s not exactly a fundamental flaw not to have that kind of monitoring in place. If smishing messages succeeded, questions should be asked about the effectiveness of cybersecurity training and awareness at Uber (which should extend to contractors).
That said, the fact that two-factor authentication (2FA) was used should’ve been enough to prevent a breach. The problem was that a poor implementation of 2FA combined with human error resulted in 2FA not being an effective security measure in this case.
It appears the contractor’s account was protected by a push-notification implementation of 2FA in which any time a user logs in with their username-password combination, they get prompted to approve this login request on their registered smartphone device. With no limits on the rate of login requests put in place by the IT team, the hacker simply spammed the victim with dozens of login requests until one was approved.
Account approval was most likely granted out of frustration with the requests constantly popping up on the target’s smartphone. A simple rate limitation on logins plus a more secure implementation of 2FA could’ve prevented further escalation.
The basic security errors did not end at the point of access. An open or misconfigured network share paved the way for accessing a PowerShell script that contained hardcoded credentials. These credentials gave access to a privileged access management solution and admin control over several tools. It should have been company policy to avoid hardcoding credentials.
Mitigating Lapsus$ Attacks
The tactics deployed by Lapsus$ to attack companies aren’t exactly sophisticated, but they are bold and seem to work with surprising regularity. Here are some general mitigation tips:
- Seek to reduce the effectiveness of social engineering tactics with a solid cybersecurity training and awareness program that educates users about recognizing phishing, smishing, vishing, and other techniques.
- Leverage advanced email security solutions that work alongside your training and awareness programs to help detect and mitigate phishing emails and suspicious URLs that users fail to recognize.
- Strengthen your implementation of 2FA or multi-factor authentication by using biometrics or physical tokens and remove reliance on SMS messages or push notifications to authenticate.
- Actively move towards a zero-trust security architecture in which no default levels of trust are given to users based on their location or other properties. Zero trust ensures per-request authentication using contextual, risk-based factors for resource access.
- Increase network monitoring capabilities using SIEM and other tools to help detect anomalous activities and respond to in-progress threats.
- Consider switching to a zero-standing privileges model in which instead of being persistent and always-on, privileged access rights are provided on a just-in-time basis at the time of a specific request.
- Ensure credentials such as SSH keys and API tokens are regularly rotated and dissuade developers or other IT personnel from hardcoding credentials into scripts.
To learn more about IRONSCALES’ award-winning email security solution that can detect and mitigate many kinds of phishing attacks, please sign up for a demo today at ironscales.com/get-a-demo.
October 11, 2022