Uber has finger pointed last week’s massive breach to the notorious Lapsus$ hacking group and released additional details on the attack.
This incident has highlighted the risks that can come from trusting MFA a most, as well as unmanaged risk around cloud-service adoption.
Uber says attacker had first obtained the VPN credentials of an external contractor, likely by purchasing them on the Dark Web. The attacker then repeatedly tried to log in to the Uber account using the illegally obtained credentials, prompting a two-factor login approval request each time.
Though the contractor initially blocked those requests, the attacker contacted the target on WhatsApp posing as tech support, telling the person to accept the MFA prompt thus allowing the attacker to log in.
The Uber breach appears to be a result of an MFA fatigue attack, also referred to as an MFA bombing attack.
Once in, the attacker breached multiple internal systems, the attacker accessed several other employee accounts, which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack.
The company said the attacker does not appear to have made any changes to its codebase, nor does he appear to have access to any customer or user data stored by cloud providers.
The attacker did appear to have downloaded some internal Slack messages and accessed or downloaded an internal tool that Uber’s finance team uses to manage invoices.
Though the attacker also accessed a database of vulnerability disclosures in its platform submitted via external researchers through the HackerOne bug-bounty program, all the bugs have been remediated, Uber said.
MFA is not the only weak link. The rapid cloud services adoption and distributed work models are having on enterprise security strategies. The rapid adoption of SaaS has created an unmanaged risk in the form of complex integrations between poorly managed services.