A cyber-attack on ride-hailing company Uber made global media headlines in September 2022 when a threat actor infiltrated the company’s internal systems. Social engineering techniques featured prominently in the incident, which was purportedly carried out by a threat actor affiliated with the Lapsus$ extortion gang. This article overviews Lapsus$ and analyzes the important cybersecurity details from the Uber breach.
Lapsus$ is a gang that first appeared on the radar of cyber security researchers in mid-2021. A spate of attacks has seen Lapsus$ threat actors hit several multi-billion-dollar companies, including Uber, Nvidia, T-Mobile, and Samsung. Speculation is also rife that a September 2022 compromise of video game company Rockstar was also down to the activity of Lapsus$ members.
Operationally, the business model of Lapsus$ appears to differ somewhat from established and professional gangs, many of whom rely on ransomware. Lapsus$ is a data extortion gang that opportunistically steals data from organizations and then profits from the threat of disclosing this stolen information. Ransomware installation to encrypt systems or files does not feature in these attacks.
Profit and notoriety are the most evident motivations of Lapsus$ actors. Instead of operating a dark leak site, Lapsus$ operates via messaging app Telegram. The gang’s Telegram channel has almost 60,000 subscribers at the time of writing.
The gang deploys a diverse range of relatively primitive tactics and often impulsive actions in its attacks. Some common threads running through the majority of Lapsus$ attacks include:
It appears that the gang is not composed of hardened cybercriminals with decades of experience. British police arrested a group of seven teenagers in March 2022, all of whom were thought to be Lapsus$ members. A 16-year-old based in Oxford, who had apparently amassed a fortune of $14 million, was one of the gang’s leaders.
The initial focus of Lapsus$ on attacking Brazilian organizations led some security researchers to speculate that the gang was initially formed in Brazil. The Brazilian Ministry of Health and the country’s state-owned postal service were among the earliest Lapsus$ victims. The gang then moved on to target companies in the global technology sector, in pursuit of increased recognition and financial gain.
What Happened in the Uber Breach?
On September 15, 2022, the New York Times reported that Uber’s computer systems had been breached; several media publications followed suit in reporting the incident. News of the breach emerged when the threat actor apparently published messages on the company’s own internal Slack channel. An update posted four days later on Uber’s website provided more details about the attack.
According to the Uber Team, a contractor’s account was compromised, likely with the use of stolen credentials purchased on the dark web. A New York Times report sourcing direct communications with the threat actor contradicted this by claiming that smishing text messages had duped the contractor into revealing their VPN account password. The smishing scam apparently involved the hacker masquerading as Uber’s IT support team and getting the contractor to disclose his/her password.
The attack appears to have been instigated by a lone wolf actor. Uber’s update asserted that the hacker was involved with or was an affiliate of the Lapsus$ gang. In a further example of the immature actions of Lapsus$ actors, an internal website had its URL altered so that any employee visiting it would see an explicit image.
While the account in question was protected by two-factor authentication (via smartphone push notifications requiring login approval), repeated login attempts by the hacker eventually resulted in full account access. This access was granted when the contractor approved one of the many login requests.
With initial access obtained, the attacker managed to elevate privileges by accessing admin credentials. These credentials were found in PowerShell scripts shared locally on the company’s internal network shares. The eventual outcome was a compromise of Uber’s G-Suite, Slack, and other tools used to manage the company’s invoices. Uber denies any breach of its public-facing systems, user accounts, or sensitive user data.
From a cybersecurity perspective, there is a lot to unpack from the Uber breach. The most startling lesson from this, and other similar Lapsus$ attacks, is how basic security mistakes often allow even less technically adept hackers to succeed in their aims.
Initial access to user credentials either came from buying them on the dark web or using smishing messages. In the former case, dark web footprint monitoring could’ve potentially identified the stolen credentials, although it’s not exactly a fundamental flaw not to have that kind of monitoring in place. If smishing messages succeeded, questions should be asked about the effectiveness of cybersecurity training and awareness at Uber (which should extend to contractors).
That said, the fact that two-factor authentication (2FA) was used should’ve been enough to prevent a breach. The problem was that a poor implementation of 2FA combined with human error resulted in 2FA not being an effective security measure in this case.
It appears the contractor’s account was protected by a push-notification implementation of 2FA in which any time a user logs in with their username-password combination, they get prompted to approve this login request on their registered smartphone device. With no limits on the rate of login requests put in place by the IT team, the hacker simply spammed the victim with dozens of login requests until one was approved.
Account approval was most likely granted out of frustration with the requests constantly popping up on the target’s smartphone. A simple rate limitation on logins plus a more secure implementation of 2FA could’ve prevented further escalation.
The basic security errors did not end at the point of access. An open or misconfigured network share paved the way for accessing a PowerShell script that contained hardcoded credentials. These credentials gave access to a privileged access management solution and admin control over several tools. It should have been company policy to avoid hardcoding credentials.
The tactics deployed by Lapsus$ to attack companies aren’t exactly sophisticated, but they are bold and seem to work with surprising regularity. Here are some general mitigation tips:
To learn more about IRONSCALES’ award-winning email security solution that can detect and mitigate many kinds of phishing attacks, please sign up for a demo today at ironscales.com/get-a-demo.